Secure transaction using point-of-user-interaction apparatus and method thereof

ABSTRACT

A mobile device is described having an antenna to detect a communication target from a point-of-user-interaction apparatus near the mobile device. The mobile device includes a reader that initiates a transmission of a command to the point-of-user-interaction apparatus and reads a response from the point-of-user-interaction apparatus. A display unit changes its display based on the response and/or the communication target. A circuitry executes instructions to receive a first authentication information from the point-of-user-interaction apparatus. The point-of-user-interaction apparatus transmits a second authentication information to a computing device. The circuitry executes instructions to send the first authentication information to the computing device. The computing device authenticates a transaction between the point-of-user-interaction apparatus and the mobile device via the first and second authentication information and notifies the circuitry of a valid transaction between mobile device and the point-of-user-interaction apparatus after the computing device authenticates the transaction. Unique ID(s) are also exchanged between the mobile device and the point-of-user-interaction apparatus.

CLAIM OF PRIORITY

This application is a continuation of, and claims the benefit ofpriority to U.S. patent application Ser. No. 17/804,535, filed on May27, 2022, titled “SECURE MOBILE TRANSACTION APPARATUS AND METHOD” andwhich is incorporated by reference in its entirety.

BACKGROUND

As mobile communication devices are commonly used in day-to-dayactivities, security of transactions associated with these mobilecommunication devices is paramount. Users of mobile devices can now makepayments with their mobile devices without physically removing andaccessing credit cards. Such mobile payment mechanisms are, however,limited. For example, the mobile payment mechanisms are limited to aparticular operating system. In another instance, manufacturers of themobile device pay feature place restrictions and fees attributed to aparticular operating system and/or manufacturer.

The background description provided here is for the purpose of generallypresenting the context of the disclosure. Unless otherwise indicatedhere, the material described in this section is not prior art to theclaims in this application and are not admitted to be prior art byinclusion in this section.

BRIEF DESCRIPTION OF THE DRAWINGS

The embodiments of the disclosure will be understood more fully from thedetailed description given below and from the accompanying drawings ofvarious embodiments of the disclosure, which, however, should not betaken to limit the disclosure to the specific embodiments, but are forexplanation and understanding only.

FIG. 1 illustrates a secure mobile transaction system, in accordancewith some embodiments.

FIG. 2 illustrates a mobile device with software and hardware for securemobile transaction, in accordance with some embodiments.

FIG. 3 illustrates a software module executable on a mobile device forsecure mobile transaction, in accordance with some embodiments.

FIG. 4 illustrates a flowchart of a method performed by a mobile deviceto authenticate a secure transaction with a point-of-user-interactionapparatus, in accordance with some embodiments.

FIG. 5 illustrates a system showing system level communication betweenthe mobile device, the point-of-user-interaction apparatus, and acomputing device for secure mobile transaction, in accordance with someembodiments.

FIG. 6 illustrates a system-level flowchart for secure mobiletransaction, in accordance with some embodiments.

FIG. 7 illustrates the point-of-user-interaction apparatus with softwareand hardware for secure mobile transaction, in accordance with someembodiments.

FIG. 8 illustrates a flowchart of a method performed by thepoint-of-user-interaction apparatus for secure mobile transaction, inaccordance with some embodiments.

FIG. 9 illustrates a computing device or a backend server forauthenticating the transaction between the mobile device and thepoint-of-user-interaction apparatus, in accordance with someembodiments.

FIG. 10 illustrates a flowchart of a method performed by the computingdevice or the backend server for authenticating the transaction betweenthe mobile device and the point-of-user-interaction apparatus, inaccordance with some embodiments.

FIG. 11 illustrates another system-level flowchart for secure mobiletransaction, in accordance with some embodiments.

FIG. 12 illustrates a system-level flowchart for secure transaction at arestaurant or a service center, in accordance with some embodiments.

DETAILED DESCRIPTION

Some embodiments describe method and apparatus (and/or system) forsecure mobile transaction. In some embodiments, a mobile device or aninteracting device is used for making a payment or participating orinteracting in a transaction. In some embodiments, the mobile deviceacts as a reader that can read a communication target from apoint-of-user-interaction apparatus. An example of a communicationtarget is a Near-field Communication (NFC) tag such as an ISO 14443compatible radio link, an ISO 18092 compatible radio link, or an IEEE802.15.4 compatible radio link.

In some embodiments, the point-of-user-interaction apparatus comprises amerchant terminal that can process credit card payments using a magneticreader or via a tap of the mobile device on its screen. In someembodiments, the point-of-user-interaction apparatus comprises an activecommunication target transmitter (e.g., an active NFC) instead of themobile device. Upon the tap, an authentication process begins where keysand tokens are exchanged with a backend device (e.g., a computing deviceor server on a cloud). The tokens are decoded by the keys, and thetransaction is authenticated for validity based on the decoding. If thetransaction is valid, the mobile device and thepoint-of-user-interaction apparatus are notified of the validity. Invarious embodiments, the point-of-user-interaction apparatus generates afirst identification.

The first identification (e.g., a matcher token) is used to match afirst authentication information with a second authenticationinformation. In various embodiments, a matcher token is generateddynamically for each transaction. In some embodiments, a merchantidentification (Merchant ID) is a fixed ID for a merchant terminal. Insome embodiments, the first authentication information is generated bythe point-of-user-interaction apparatus and provided to the mobiledevice, which in turn provides it to the computing device (e.g., thebackend). In some embodiments, the point-of-user-interaction apparatustransmits the second authentication information to the backend device.In some embodiments, the mobile device generates a second identification(e.g., customer ID (also referred to as user ID)) which is a uniqueidentification. In various embodiments, the first identification isprovided to the computing device (e.g., the backend device) via themobile device. The second identification is provided to the backenddevice via the point-of-user-interaction apparatus. The secondidentification is used to identify the mobile device to thepoint-of-user-interaction apparatus.

Continuing with this example, which can be modified to use other formsof IDs, the second identification generated by the mobile device can beprovided to the backend via point-of-user-interaction apparatus, and thesecond identification (herein also referred to as a thirdidentification) generated by the point-of-user-interaction apparatus isprovided to backend via mobile device. As such, the backend devicereceives the second identifications (also referred to as the second andthird identifications) from two different sources and via two differentpaths. The second identifications (also referred to as the second andthird identifications) can be a user ID, merchant ID, or other forms ofIDs (such as encrypted IDs). The second and third identifications areusually the same IDs but can be different too. For example, the thirdidentification is an encrypted form of the second identification or viceversa. The encryption can take place on any suitable device. Forexample, the place where the ID resides and/or originates is where theID can be encrypted. In another example, a device transmitting the IDmay encrypt the ID for subsequent transmission. The secondidentifications, in one example, is used to identify the partiesinvolved in the transaction. This exchange of second identifications insuch manner further provides a secure authentication mechanism toauthenticate the transaction upon the tap. The exchange of secondidentifications may occur via any suitable means such as applicationprogrammable interfaces (APIs), NFC communication, wireless or wiredmeans. By exchange of the second identifications, the backend canauthenticate the transaction, in accordance with various embodiments.

There are many technical effects of the various embodiments. Forexample, by making the mobile device a reader instead of making thepoint-of-user-interaction apparatus the reader, and by making thepoint-of-user-interaction apparatus an active communication targettransmitter (e.g., an active NFC) instead of the mobile device, a securetransaction process can be applied to any mobile device regardless ofmobile device manufacture limitations on access to the activecommunication target transmitter. The exchange of information betweenthe point-of-user-interaction apparatus, the mobile device, and thebackend device (e.g., the cloud or computing device) verifies thephysical presence of a user of the mobile device and its interactionwith the point-of-user-interaction apparatus. As such, the validity ofthe transaction is tied to the physical presence of the user, and thisprocess further reduces fraudulent transactions. Other technical effectswill be evident from the various embodiments and drawings.

FIG. 1 illustrates secure mobile transaction system 100, in accordancewith some embodiments. In some embodiments, system 100 comprisespoint-of-user-interaction apparatus 101, mobile device 102, backend orcloud 104 (herein also referred to as a computing device), generator105, and database 106.

In some embodiments, point-of-user-interaction apparatus 101 comprises amerchant terminal 101 a and an add-on 101 b. Here, add-on 101 b is alsoreferred to as point-of-user-interaction module. In some embodiments,point-of-user-interaction module 101 b provides extra capability toexisting merchant terminals so they can seamlessly work with mobiledevice 102 and merchant terminal 101 a to establish secure transactions.The form factor of point-of-user-interaction module 101 b can be similarto a form factor of a micro-SD card. In some embodiments,point-of-user-interaction module 101 b comprises a micro-SD. In someembodiments, point-of-user-interaction module 101 b includes twointerfaces—a first interface and a second interface. In someembodiments, the first interface comprises an NFC radio with anenhancement circuit. In some embodiments, the enhancement circuit may bea controller or a processor or a secure element with a secure function.In some embodiments, the secure element includes applets, keys anddigital certificates. Digital certificates are used to validate theidentity of a certificate holder. Certificate authorities typicallyissue digital certificates. Digital certificates and their functionalityare well known. Secure element applets and encryption keys are also wellknown. In some embodiments, the secure transaction system makesavailable one or more of applets, keys, and/or digital certificates tocreate a trusted relationship with mobile device 102 to authenticate orvalid the transaction.

In some embodiments, the second interface connectspoint-of-user-interaction module 101 b to merchant terminal 101 a. Insome embodiments, point-of-user-interaction module 101 b can communicateover contact-based interface (e.g., a physical interface such asISO7816). In some embodiments, point-of-user-interaction module 101 bcan communicate over contactless-based interface (e.g., ISO14443 basedinterface). In some embodiments, merchant terminal 101 a comprises acontroller to communicate with point-of-user-interaction module 101 band also communicates information cryptographically generated andsecured in point-of-user-interaction module 101 b with backend resourcessuch as backend 104. In some embodiments, merchant terminal 101 aincludes a dedicated hardware capable of connecting to the internet andhosting point-of-user-interaction module 101 b.

In some embodiments, point-of-user-interaction apparatus 101 may be anycomputer, server, or other electronic device capable of communicatingwith mobile device 102 via point-of-user-interaction module 101 b withor without it, and also capable of communicating with backend 104.Examples of point-of-user-interaction apparatus 101 include, but are notlimited to, a voting machine, a point-of-sale terminal, an automatedteller machine (ATM), or the like. In some embodiments,point-of-user-interaction apparatus 101 could be a mobile phone ortablet or phablet. In various embodiments, point-of-user-interactionmodule 101 b is fully integrated into merchant terminal 101 a.

In some embodiments, mobile device 102 is a customer device. Mobiledevice 102 may be a smart device such as a tablet, phone, watch, etc.which can communication with point-of-user-interaction apparatus 101 inseveral ways (e.g., NFC, Bluetooth, etc.). In some embodiments, mobiledevice 102 communicates with point-of-user-interaction module 101 b overISO14443 contactless interface. In some embodiments, mobile device 102communicates information cryptographically generated and secured inpoint-of-user-interaction module 101 b with backend resources such asbackend 104. In some embodiments, when mobile device 102 comes in closeproximity to point-of-user-interaction apparatus 101 and/orpoint-of-user-interaction module 101 b, a tap is registered. A tap maybe registered upon a physical contact of mobile device 102 topoint-of-user-interaction apparatus 101 and/or point-of-user-interactionmodule 101 b or when mobile device 102 gets in the NFC distance range,for example. In some embodiments, upon a tap, mobile device 102 andpoint-of-user-interaction apparatus 101 and/or point-of-user-interactionmodule 101 b exchange tokenized identifiers allowing for mutual trust.As discussed herein, in various embodiments, upon a tap, mobile device102 receives the first authentication information frompoint-of-user-interaction apparatus 101 and/or point-of-user-interactionmodule 101 b. Mobile device 102 then transmits or sends the firstauthentication information to backend 104. In various embodiments, uponthe tap, point-of-user-interaction apparatus 101 and/orpoint-of-user-interaction module 101 b transmits the secondauthentication information to backend 104. Now that backend 104 has boththe first authentication information and the second authenticationinformation, the transaction between mobile device 102 andpoint-of-user-interaction apparatus 101 and/or point-of-user-interactionmodule 101 b caused by the tap is authenticated.

In some embodiments, this exchange of tokenized identifiers isaccomplished by using application programming interfaces (APIs) providedby operating system. Examples of such APIs include Apple® iOS CoreNFCAPI, iOS Universal Linking or Deep Linking, and iOS Background TagReading. In some embodiments, APIs allow for exchange of informationbetween point-of-user-interaction apparatus 101 and/orpoint-of-user-interaction module 101 b and mobile device 102. In someembodiments, APIs may allow exchange of information when a user ofmobile device 102 holds phone near point-of-user-interaction apparatus101 and/or point-of-user-interaction module 101 b. In some embodiments,APIs may allow exchange of information between mobile device 102 andpoint-of-user-interaction apparatus 101 and/or point-of-user-interactionmodule 101 b after a biometric authentication. Examples of biometricauthentication include finger touch, face identification, eyeidentification, etc. In some embodiments, APIs may allow bannernotification on the display. In some embodiments, APIs may allow NFCreader (e.g., mobile device 102) to complete custom protocol informationexchange.

In some embodiments, backend 104 comprises a server or a computingdevice which can decide authentication information from mobile device102 and point-of-user-interaction apparatus 101 to authenticate validityof a transaction. In some embodiments, generator 105 and database 106are part of backend 104. In some embodiments, generator 105 is anapplication script application (e.g., Google™ Apps Script) that works inconjunction with document generation application (e.g., Google Sheetdocument) that automates a back contract or document generation process.In some embodiments, generator 105 communicates with backend resources(e.g., Amazon's AWS resources) to retrieve unprocessed transactions fromdatabase 106. Database 106 can be persistent memory, in accordance withvarious embodiments. In some embodiments, database 106 is an RDS MySQLdatabase from Amazon® Web Services (AWS) and is used to managetransaction data as well as user data. In some embodiments, database 106is organized into multiple tables. Examples of these multiple tablesinclude tables for transactions, customers, merchants, and bankaccounts.

In some embodiments, mobile device 102 can communicate with backend 104via communication 107. Communication 107 can be a cellular communicationor communication via an internet run application on a processor ofmobile device 102. In some embodiments, mobile device 102 communicateswirelessly via communication 108 or 110 with point-of-user-interactionapparatus 101. These communications may be near-field or non-near-fieldcommunications depending on the messaging type and objective. In someembodiments, point-of-user-interaction apparatus 101 communicates withbackend via communication 109. Communication 109 may be a wiredcommunication (e.g., an ethernet cable) or a wireless communication(e.g., non-near-field or cellular). In some embodiments, mobile device102 comprises an antenna to detect or read a communication target frompoint-of-user-interaction apparatus 101 near mobile device 102. In someembodiments, the communication target is stored in thepoint-of-user-interaction module 101 b. In some embodiments, the antennamay comprise one or more directional or omnidirectional antennas,including monopole antennas, dipole antennas, loop antennas, patchantennas, microstrip antennas, coplanar wave antennas, or other types ofantennas suitable for transmission of Radio Frequency (RF) signals. Insome multiple-input multiple-output (MIMO) embodiments, the antennas areseparated to take advantage of spatial diversity.

In some embodiments, the communication target comprises a near-fieldcommunication (NFC) data exchange format (NDEF) target. In someembodiments, the antenna detects or reads the communication target viacommunication signal 108 and/or 110 (e.g., NFC) frompoint-of-user-interaction apparatus 101 and/or point-of-user-interactionmodule 101 b. In some embodiments, mobile device 102 periodically orcontinuously listens for one or more communication targets near it. Forexample, the antenna of mobile device 102 continuously or regularlyinitiates a transmission and listens for a response from communicationtargets near mobile device 102. In some embodiments, the transmissionand the response are near-field communications. In some embodiments,mobile device 102 comprises a camera or a biometric sensor toauthenticate a user of mobile device 102.

In some embodiments, mobile device 102 comprises a reader to initiate atransmission of a command to point-of-user-interaction apparatus 101,and to read a response from point-of-user-interaction apparatus 101,wherein the reader is coupled to the antenna. In some embodiments, thereader (e.g., software and/or hardware) uses near-field ornon-near-field communication 108 to transmit the command topoint-of-user-interaction apparatus 101. In some embodiments, mobiledevice 102 includes a display unit 102 a that changes its display basedon the response from point-of-user-interaction apparatus 101 and/or thecommunication target. In some embodiments, the command may ask whetherpoint-of-user-interaction apparatus 101 is accepting and/or operating ona point-of-sale transaction. Examples of transactions include tallyingvotes on a validated ballot, or the acceptance of a point-of-saletransaction, registering with an organization, attendance verification,security verification at an office, airport, or any point of entry orexit. In some embodiments, the response may be a communication target ortag sent by point-of-user-interaction apparatus 101 to mobile device102.

In some embodiments, mobile device 102 comprises a circuitry thatexecutes instructions to receive a first authentication information frompoint-of-user-interaction apparatus 101. In some embodiments,point-of-user-interaction apparatus 101 transmits a secondauthentication information to backend 104 (e.g., a computing device). Insome embodiments, the circuitry comprises a controller, amicrocontroller, or a processor chip. In some embodiments, the circuitryexecutes instructions to send the first authentication information tobackend 104 via communication 107. In some embodiments, backend 104authenticates a transaction between point-of-user-interaction apparatus101 and mobile device 102 via the first authentication information andthe second authentication information. In some embodiments, backend 104notifies the circuitry of a valid transaction between mobile device 102and point-of-user-interaction apparatus 101 after backend 104authenticates the transaction. As discussed herein, in addition to usingfirst and second authentication information, point-of-user-interactionapparatus 101 and mobile device 102 also exchange IDs to authenticatethe transaction. These IDs include matcher token and customer ID, and/ormerchant ID, in some examples. In some embodiments, the validtransaction is a financial transaction. For example, the financialtransaction is a point-of-sale credit or debit card based transaction.In some embodiments, the valid transaction is casting a voting ballot.

In some embodiments, the first authentication information includes afirst key, associated with a first cryptographic token, frompoint-of-user-interaction apparatus 101. In some embodiments, the firstauthentication information further includes a second cryptographictoken, associated with a second key, from the point-of-user-interactionapparatus. In some embodiments, the second authentication informationincludes the second key and the first cryptographic token.

In various embodiments, point-of-user-interaction apparatus 101generates a first identification. The first identification (e.g., amatcher token) is used to match the first authentication informationwith the second authentication information, in some examples. In variousembodiments, a matcher token is generated dynamically for eachtransaction. Conversely, a merchant identification (Merchant ID) is afixed ID for a merchant terminal. In some embodiments, the firstauthentication information is generated by the point-of-user-interactionapparatus and provided to the mobile device, which in turn provides itto the computing device 104 (e.g., backend 104). In some embodiments,point-of-user-interaction apparatus 101 transmits the secondauthentication information to backend device 104. In some embodiments,mobile device 102 generates a second identification (e.g., customer ID(also referred to as user ID)) which is a unique identification. Invarious embodiments, the first identification is provided to computingdevice 104 (e.g., backend 104) via mobile device 102. The secondidentification is provided to backend device 102 viapoint-of-user-interaction apparatus 101, in accordance with someembodiments. The second identification is used to identify mobile device102 to point-of-user-interaction apparatus 101. In some embodiments,point-of-user-interaction apparatus 101 generates a secondidentification (e.g., merchant ID) which is a unique identification. Invarious embodiments, the first identification is provided to computingdevice 104 (e.g., backend 104) via point-of-user interaction apparatus101. The second identification is provided to backend device 104 viamobile device 102. The second identification is used to identify themobile device to the point-of-user-interaction apparatus.

In some embodiments, the reader comprises a first applicationprogrammable interface (API) to initiate the transmission and to readthe response. In some embodiments, mobile device 102 comprises a secondapplication programmable interface to issue a notification or ahyperlink based on the response, wherein a user interaction with thenotification or the hyperlink is to cause the display of theapplication. This allows an application to open directly without userinteraction or with minimal user interaction. In some embodiments, theapplication may be already downloaded from an application store(AppStore) on mobile device 102. In some embodiments, the notificationor the hyperlink is transmitted from the communication target. In someembodiments, mobile device 102 comprises a camera or a biometric sensorto authenticate a user of mobile device 102 based on a user'sinteraction with the notification or the hyperlink.

In some embodiments, backend 104 is a first computing device, andwherein point-of-user-interaction apparatus 101 transmits the firstcryptographic token and the second key to a second computing device. Insome embodiments, the second computing device transmits the firstcryptographic token and the second key to the first computing device. Invarious embodiments, backend 104 decodes the second cryptographic tokenwith the second key. In some embodiments, backend 104 notifies thecircuitry of a validity of the transaction between mobile device 102 andpoint-of-user-interaction apparatus 101 after the first cryptographictoken and the second cryptographic token are decoded.

FIG. 2 illustrates mobile device 200 with software and hardware forsecure mobile transaction, in accordance with some embodiments. In someembodiments, mobile device 200 includes processor 250, memory 210,display controller 252, touch sensitive display device 254, Bluetoothradio 258, WiFi radio 260, GPS radio 262, cellular radio 264, audiocircuits 266 (e.g., speaker 266 a and Mic 266 b), camera 268,accelerometer 270, secure element 272, and near-field communications(NFC) radio 274. In some embodiments, mobile device 200 may be any typeof device that includes all or some of the components shown. Forexample, in some embodiments, mobile device 200 may be a cell phone, asmartphone, a tablet computer, a laptop computer, or the like.

In some embodiments, processor 250 may be any type of processor capableof executing instructions stored in memory 210 and capable ofinterfacing with the various components shown in FIG. 2 . For example,processor 250 may be a microprocessor, a digital signal processor, anapplication specific processor, or the like. In some embodiments,processor 250 is a component within a larger integrated circuit such asa system on chip (SOC) application specific integrated circuit (ASIC).

Display controller 252 provides an interface between processor 250 andtouch sensitive display device 254. In some embodiments, displaycontroller 252 is integrated within processor 250, and in otherembodiments, display controller 252 is integrated within touch sensitivedisplay device 254.

Touch sensitive display device 254 is a display device that includes atouch sensitive surface, sensor, or set of sensors that accept inputfrom a user. For example, touch sensitive display device 254 may detectwhen and where an object touches the screen, and may also detectmovement of an object across the screen. When touch sensitive displaydevice 254 detects input, display controller 252 and processor 250 (inassociation with user interface component 221) determine the appropriateresponse. For example, in response to user input, applications may bestarted, icons may be moved, or fast pay application may be started forsecure payment transaction.

Touch sensitive display device 254 may be manufactured using anyapplicable display technologies, including for example, liquid crystaldisplay (LCD), active matrix organic light emitting diode (AMOLED), andthe like. Further, touch sensitive display device 254 may bemanufactured using any application touch sensitive input technologies,including for example, capacitive and resistive touch screentechnologies, as well as other proximity sensor technologies.

Bluetooth radio 258 is a type of non-near-field radio capable ofcommunicating on a frequency between 2.402 GHz and 2.480 GHz. Bluetoothis an example of a non-near-field protocol because the wavelength is onthe order of 4.5 inches and the intended communication distance istypically much greater than 4.5 inches. The use of the term“non-near-field radio” is not meant to imply that the distance ofcommunication cannot be less than the wavelength for the non-near-fieldradio. Bluetooth radio 258 can communicate on a personal-area network(PAN) with other Bluetooth devices on the personal-area network. In someembodiments Bluetooth radio 258 is omitted.

WiFi radio 260 may be any type of radio capable of communicating over awireless network. Examples include radios that are compatible with oneor more of the Institute of Electrical and Electronics Engineers (IEEE)802.11 standards. In some embodiments, WiFi radio 260 is omitted. Insome embodiments, mobile device 200 uses WiFi radio 260 to communicatewith backend 104.

GPS radio 262 includes a global positioning system (GPS) receivercapable of determining the present location (e.g., latitude andlongitude) of mobile device 200. In some embodiments, GPS radio 262 isused to provide location information to communicate with backend 104.Cellular radio 264 may be any type of radio that can communicate withina cellular network. Examples include, but are not limited to, radiosthat communicate using orthogonal frequency division multiplexing(OFDM), code division multiple access (CDMA), time division multipleaccess (TDMA), and the like. Cellular radio 264 may operate at anyfrequency or combination of frequencies without departing from the scopeof the present invention. In some embodiments, cellular radio 264 isomitted. In some embodiments, mobile device 200 uses cellular radio 264to communicate with backend 104.

Audio circuits 266 provide an interface between processor 250 and audiodevices such as a speaker and microphone.

Camera 268 may be any camera suitable for use in a mobile device. Forexample, camera 268 may include a CMOS sensor with optics or any othertype of image capture device at any resolution. Camera 268 may beoperated by a camera software application (not shown). Accelerometer 270detects motion of mobile device 200, and may be used by any softwareapplication.

In some embodiments, secure element 272 provides secure informationstorage. In some embodiments, secure element 272 is a smartcardcompatible secure element commonly found in credit card applicationsand/or security applications. NFC radio 274 provides near-fieldcommunications capability between mobile device 200 and other devicesnearby. In some embodiments, NFC radio 274 may operate at 13.56megahertz, although this is not a limitation of the present invention.In some embodiments, mobile device 200 uses NFC radio 274 to communicatewith point-of-user interface apparatus 101.

In some embodiments, secure element 272 is combined with NFC radio 274in a single integrated circuit such as a smartcard controller. In otherembodiments, secure element 272, or a combination of secure element 272and NFC radio 274 are integrated into another semiconductor device suchas processor 250.

Examples of smart card controllers that combine secure element 272 withNFC radio 274 are the “SmartMX” controllers sold by NXP SemiconductorsN.V. of Eindhoven, The Netherlands. In some embodiments, the secureelement has an ISO/IEC 7816 compatible interface that communicates withother components within mobile device 200 (e.g., processor 250),although this is not a limitation of the present invention. Further, insome embodiments, NFC radio 274 has an ISO/IEC 14443 contactlessinterface.

Mobile device 200 may include many other circuits and services that arenot specifically shown in FIG. 2 . For example, in some embodiments,mobile device 200 may include an additional camera, haptic feedbackdevices, and the like. Any number and/or type of circuits and servicesmay be included within mobile device 200 without departing from thescope of the various embodiments.

Memory 210 may include any type of memory device. For example, memory210 may include volatile memory such as static random-access memory(SRAM), or nonvolatile memory such as FLASH memory. Memory 210 isencoded with (or has stored therein) one or more software modules (orsets of instructions), that when accessed by processor 250, result inprocessor 250 performing various functions. In some embodiments, thesoftware modules stored in memory 210 may include an operating system(OS) 220 and applications 230. Applications 230 may include any numberor type of applications. Examples provided in FIG. 2 include a telephoneapplication 231, a contacts application 232, a music player application233, and a fast pay or secure transaction application 235. Memory 210may also include any amount of space dedicated to data storage 240.

Operating system 220 may be a mobile device operating system such as anoperating system to control a mobile phone, smartphone, tablet computer,laptop computer, or the like. As shown in FIG. 2 , operating system 220includes user interface component 221. Operating system 220 may includemany other components without departing from the scope of the presentinvention.

User interface component 221 includes processor instructions that causemobile device 200 to display content on touch sensitive display device254, recognize user input, and to provide the user input toapplications. User interface component 221 also includes instructions todisplay menus, move icons, and manage other portions of the displayenvironment.

Telephone application 231 may be an application that controls a cellphone radio. Contacts application 232 includes software that organizescontact information. Contacts application 232 may communicate withtelephone application 231 to facilitate phone calls to contacts. Musicplayer application 233 may be a software application that plays musicfiles that are stored in data storage 240.

Fast pay or secure transaction application 235 may be a softwareapplication that communicates with a banking service to allow bankingfunctions such as balance inquiries, funds transfers, bill payment andthe like. Fast pay or secure transaction application 235 may be adownloaded “thick” application, or may be a “thin” application that usesinternet browser functionality. Other application examples includeapplications that store an identity such as a passport or a buildingaccess identity.

In some embodiments, mobile banking application 235 includes processorinstructions that allow mobile device 200 to perform mobile payments.For example, fast pay or secure transaction application 235 may includeprocessor instructions that handle access to one or more paymentinstruments such as credit cards, debit cards, and pre-paid cards. Insome embodiments, fast pay or secure transaction application 235communicates with smartcard secure element 272 and/or NFC radio 274within mobile device 200. For example, fast pay or secure transaction235 may store and access payment identities in smartcard secure element272 and allow proximity payments using NFC radio 274.

Each of the above-identified applications correspond to a set ofinstructions for performing one or more functions described above. Theseapplications (sets of instructions) need not be implemented as separatesoftware programs, procedures or modules, and thus various subsets ofthese applications may be combined or otherwise re-arranged in variousembodiments. For example, telephone application 231 may be combined withcontacts application 232. Furthermore, memory 210 may store additionalapplications (e.g., video players, camera applications, etc.) and datastructures not described above.

It should be noted that mobile device 200 is presented as an example ofa user device, and that mobile device 200 may have more or fewercomponents than shown, may combine two or more components, or may have adifferent configuration or arrangement of components. For example,mobile device 200 may include many more components such as sensors(optical, touch, proximity etc.), or any other components suitable foruse in a mobile device.

FIG. 3 illustrates software module 300 executable on mobile device 102for secure mobile transaction, in accordance with some embodiments.Software module 300 is part of the overall secure transaction softwareexecutable on mobile device 102. In various embodiments, software module300 comprises reader 320 to initiate a transmission of a command topoint-of-user-interaction apparatus 101, and to read a response frompoint-of-user-interaction apparatus 101. In some embodiments, reader 320includes a first API 321 to initiate the transmission and to read theresponse. In some embodiments, first API 321 is used for background tagreading. In some embodiments, software module 300 includes a second API322 to issue a notification or a hyperlink based on the response. Insome embodiments, second API 322 is used for information exchange. Insome embodiments, a user interaction with the notification or thehyperlink causes the display of the application. In some embodiments,the notification or the hyperlink is transmitted from the communicationtarget (e.g., NFC tag). In some embodiments, software module 300includes a user interface 340 to access or communicate with softwaremodule 300. In some embodiments, camera 268 or any other biometricsensor is used to authenticate a user of mobile device 102 based on auser's interaction with the notification or the hyperlink.

FIG. 4 illustrates flowchart 400 of a method performed by mobile device102 to authenticate a secure transaction with point-of-user-interactionapparatus 101, in accordance with some embodiments. While the blocks inflowchart 400 are shown in a particular order, the order can bemodified. For example, some blocks may be performed in parallel whilesome blocks may be performed before others. The blocks here can beimplemented in software, hardware, or a combination of both.

At block 402, mobile device 102 detects or reads a communication targetfrom point-of-user-interaction apparatus 101 near mobile device 102. Atblock 404, mobile device 102 initiates a transmission of a command topoint-of-user-interaction apparatus 101. At block 406, mobile device 102reads a response from point-of-user-interaction apparatus 101 inresponse to the command. In one example, the transmission and theresponse are near-field communications. In some embodiments, the methodof reading the response comprises operating a first applicationprogrammable interface to initiate the transmission and to read theresponse.

At block 408, mobile device 102 displays an application based on theresponse from point-of-user-interaction apparatus 101 and/or thecommunication target (e.g., NFC data exchange format (NDEF) target). Atblock 410, mobile device 102 receives a first authentication informationfrom the point-of-user-interaction apparatus. At block 412, mobiledevice 102 transmits the first authentication information to backend104. In some embodiments, backend 104 receives a second authenticationinformation directly or indirectly from point-of-user-interactionapparatus 101. In some embodiments, wherein backend 104 authenticates atransaction between point-of-user-interaction apparatus 101 and mobiledevice 102 via the first authentication information and the secondauthentication information.

As discussed herein, the first authentication information includes afirst key, associated with a first cryptographic token, frompoint-of-user-interaction apparatus 101. The first authenticationinformation further includes a second cryptographic token, associatedwith a second key, from the point-of-user-interaction apparatus. In someembodiments, the second authentication information includes the secondkey and the first cryptographic token. In some embodiments, the key(e.g., the first key and/or the second key) is a symmetric key. In someembodiments, the key (e.g., the first key and/or the second key) is anasymmetric key. In some embodiments, the method of detecting or readingthe communication target comprises continuously or regularly listeningfor communication targets near the mobile device.

In some embodiments, the method comprises operating a second applicationprogrammable interface to issue a notification or a hyperlink based onthe response. As discussed herein, a user interaction of notification orthe hyperlink causes the display of the application. The notification orthe hyperlink is embedded in the communication target. In some examples,the valid transaction is a financial transaction, or a voting ballot. Insome embodiments, the method comprises transmitting the first key andthe second cryptographic token to backend 104. In some embodiments,backend 104 decodes the second cryptographic token with the second key.

At block 414, mobile device 102 sends a unique identification (e.g.,customer ID) to backend 104. As discussed herein, an exchange of IDstakes place originating from mobile device 102 andpoint-of-user-interaction apparatus 101 to verify the transaction andthe tap. In some embodiments, point-of-user-interaction apparatus 101generates a first identification. The first identification (e.g., amatcher token) is used to match the first authentication informationwith the second authentication information, in some examples. In variousembodiments, a matcher token is generated dynamically for eachtransaction. Conversely, a merchant identification (Merchant ID) is afixed ID for a merchant terminal. In some embodiments, the firstauthentication information is generated by the point-of-user-interactionapparatus and provided to the mobile device, which in turn provides itto the computing device 104 (e.g., backend 104). In some embodiments,point-of-user-interaction apparatus 101 transmits the secondauthentication information to backend device 104.

In various embodiments, there is an exchange of identifications betweenmobile device 102 and point-of-user-interaction apparatus 101 to furthersecure the transaction between mobile device 102 andpoint-of-user-interaction apparatus 101 caused by a tap. For example,mobile device 102 generates a second identification (e.g., customer ID(also referred to as user ID)) which is a unique identification. Invarious embodiments, the first identification is provided to computingdevice 104 (e.g., backend 104) via mobile device 102. The secondidentification is provided to backend device 102 viapoint-of-user-interaction apparatus 101, in accordance with someembodiments. The second identification is used to identify mobile device102 to point-of-user-interaction apparatus 101. In some embodiments,point-of-user-interaction apparatus 101 generates a secondidentification (e.g., merchant ID) which is a unique identification. Invarious embodiments, the first identification is provided to computingdevice 104 (e.g., backend 104) via point-of-user interaction apparatus101. The second identification is provided to backend device 104 viamobile device 102. The second identification is used to identify themobile device to the point-of-user-interaction apparatus.

Continuing with this example, which can be modified to use other formsof IDs, the second identification generated by mobile device 102 can beprovided to backend 104 via point-of-user-interaction apparatus 101. Thesecond identification (herein also referred to as a thirdidentification) is generated by point-of-user-interaction apparatus 101is provided to backend 104 via mobile device 102. As such, backenddevice 104 receives the second identifications (also referred to as thesecond and third identifications) from two different sources and via twodifferent paths. The second identifications (also referred to as thesecond and third identifications) can be a user ID, merchant ID, orother forms of IDs (such as encrypted IDs). The second and thirdidentifications are usually the same IDs but can be different too. Forexample, the third identification is an encrypted form of the secondidentification or vice versa. The encryption can take place on anysuitable device. For example, the place where the ID resides and/ororiginates is where the ID can be encrypted. In another example, adevice transmitting the ID may encrypt the ID for subsequenttransmission. The second identifications, in one example, is used toidentify the parties involved in the transaction. This exchange ofsecond identifications in such manner further provides a secureauthentication mechanism to authenticate the transaction upon the tap.The exchange of second identifications may occur via any suitable meanssuch as application programmable interfaces (APIs), NFC communication,wireless or wired means. By exchange of the second identifications,backend 104 can authenticate the transaction and/or the tap, inaccordance with various embodiments.

In some embodiments, the method comprises receiving a notification of avalid transaction between mobile device 102 andpoint-of-user-interaction apparatus 101 after the first cryptographictoken and the second cryptographic token are decoded. In someembodiments, point-of-user-interaction apparatus 101 generates a firstidentification, wherein the first identification is used to match thefirst authentication information with the second authenticationinformation. An example of the first identification is a matcheridentification (matcher token). In one example, a matcher token or amatcher ID can be a 16-byte unique identifier used to match a firstauthentication information with a second authentication information sothat a first key can be used to decode a first cryptographic token and asecond key can be used to decode a second cryptographic token.

At block 416, mobile device 102 receives a notification, from backend104, of a valid transaction between mobile device 102 andpoint-of-user-interaction apparatus 101 after backend 104 authenticatesthe transaction.

FIG. 5 illustrates system 500 showing system level communication betweenmobile device 102, point-of-user-interaction apparatus 101, and acomputing device (herein backend 104) for secure mobile transaction, inaccordance with some embodiments. As discussed herein, mobile device 102executes instructions to receive a first authentication information frompoint-of-user-interaction apparatus 101, while point-of-user-interactionapparatus 101 transmits a second authentication information to backend104. Mobile device 102 then executes instructions to send the firstauthentication information to backend 104. This is done for backend 104to authenticate a transaction between point-of-user-interactionapparatus 101 and mobile device 102. In addition to the authenticationinformation, additional identification may also be communicated betweenmobile device 102, point-of-user-interaction apparatus 101, and backend104.

In some embodiments, mobile device 102 provides its uniqueidentification (User ID) to point-of-user-interaction apparatus 101. Insome embodiments, point-of-user-interaction apparatus 101 may includetwo separate modules that are communicatively coupled. These modulesinclude add-on 101 b (also referred to as point-of-user-interactionmodule 101 a) and main merchant terminal 101 a (also referred to asmerchant terminal 501 a). In various embodiments,point-of-user-interaction module 101 a performs a security function andincludes a controller or microcontroller (or processor). Here,point-of-user-interaction module 101 a is referred to as a secureelement 501 b. In some embodiments, secure element 501 b includes afirst controller 521 b. In some embodiments, merchant terminal 501 aincludes a second controller 521 a.

In some embodiments, secure element 501 a includes applets, keys anddigital certificates. Digital certificates are used to validate theidentity of a certificate holder. Certificate authorities typicallyissue digital certificates. In some embodiments, the secure transactionsystem makes available one or more of applets, keys, and/or digitalcertificates to create a trusted relationship with mobile device 102 toauthenticate or valid the transaction.

In some embodiments, secure element 501 b generates the firstauthentication information which includes TID Token2 and TID Key1. Invarious embodiments, secure element 501 b provides the firstauthentication information to mobile device 102. In addition to thefirst authentication information, secure element 501 b also providesMerchant ID and Matcher (herein also referred to as Matcher token orMatcher ID) to mobile device 102. In some embodiments, Merchant ID is anidentification of merchant terminal 501 a. Secure element receives theMerchant ID from merchant terminal 501 a and provides it to mobiledevice 102. In some embodiments, secure element 501 b generates thesecond authentication information. The second authentication informationincludes TID Token1 and TID Key2. In various embodiments,point-of-user-interaction apparatus 101 sends the second authenticationinformation to backend 104. In addition to the second authenticationinformation, point-of-user-interaction apparatus 101 also sends theMatcher and User ID to backend 104. The keys and corresponding tokensare split and send to backend 104 via different devices (e.g.,point-of-user-interaction apparatus 101 and mobile device 102) so thatone device sends a key and another device sends the corresponding tokento backend 104. For example, Key1 of Token1 is sent to backend 104 viamobile device 102, while Token1 is sent to backend 104 viapoint-of-user-interaction apparatus 101. Likewise, Key2 of Token2 issent to backend 104 via point-of-user-interaction apparatus 101, whileToken2 is sent to backend 104 via mobile device 102. In someembodiments, TID Key1 and/or TID Key2 are symmetric keys. In someembodiments, TID Key1 and/or TID Key2 are asymmetric keys.

In various embodiments, Matcher ID (also referred herein as “Matcher”)is like the Transaction ID (also referred herein as TID) except it isnot encrypted. As discussed herein, a TID includes a token and acorresponding key to decode the token. In some embodiments, Matcher IDis a randomly generated token used to match the first authenticationinformation with the second authentication information. In someembodiments, the Matcher ID is used to identify which firstauthentication information packets are paired to which secondauthentication information packets. Once the packets are paired, thetransaction can be verified by seeing if the decrypted or decoded TIDsfrom each authentication information packet are equivalent.

In some embodiments, User ID (also referred to herein as UID or CustomerID (CID)) is a unique identifier that is passed from mobile device 102to secure element 501 b (e.g., point-of-user-interaction module 101 b)and then read by merchant terminal 501 a. This allows a user of mobiledevice 102 to identify themself to merchant terminal 501 a (via secureelement 501 b). The same is true for the Merchant ID (aka MID), exceptreversed. For example, MID is passed from merchant terminal 501 a tomobile device 102 directly or indirectly via secure element 501 b.

As discussed herein, in some embodiments, merchant terminal 501 a andsecure element 501 b are integrated on a common platform. For example,first controller 521 b and second controller 521 a that perform variousfunctions of secure element 501 b and merchant terminal 501 a,respectively, are implemented on a single system-on-chip (SoC). In onesuch embodiment, a user of mobile device 102 identifies themself topoint-of-user-interaction apparatus 101 which includes the integratedmerchant terminal 501 a and secure element 501 b.

In some embodiments, backend 104 is not only getting informationgenerated by point-of-user-interaction apparatus 101 but the informationis also exchanged between mobile device 102 andpoint-of-user-interaction apparatus 101 (and between secure element 501b and merchant terminal 501 a) to identify the parties performing thetransaction. The exchange between mobile device 102 andpoint-of-user-interaction apparatus 101 is a) a two-way informationexchange where b) each party (e.g., mobile device 102 andpoint-of-user-interaction apparatus 101) can generate dynamicinformation, and c) each party is connected to a network (e.g.,cellular, WiFi, and/or physical ethernet). These three security featuresallow for mutual verification of each party's location and identity atthe point of transaction or sale.

A traditional credit card payment mechanism on a mobile device cangenerate dynamic information to ensure security and can communicate thatdata back to a payment terminal, but it is not capable to connect to anetwork. While smart phones are typically connected to a network, thecredit card transactions conducted with smart phones represent thetraditional credit card payment mechanism.

The following example illustrates how the exchange of information ofvarious embodiments to identify the parties (customer and merchant)performing the transaction is different from traditional QR codereading. A QR code (or any matrix barcode) can be dynamically generatedbut lacks a two-way communication as discussed herein with reference tovarious embodiments. Assume a point-of-user-interaction apparatus 101can generate a dynamic QR code on display unit 101 a (ofpoint-of-user-interaction apparatus 101). That QR code can contain a TID(& MID). Further assume that point-of-user-interaction apparatus 101 (ormerchant device 501 a) can post the TID to backend 104. In this case,the customer, using their QR code scanner on their mobile device canscan the QR Code and post the TID to backend 104. However, QR codescheme is not capable of accomplishing two-way information exchangespecifically for the customer to identify themselves. Even if the rolesare reversed, where a merchant device such as point-of-user-interactionapparatus 101 scans a QR code generated on a customer's device, themerchant (e.g., owner of point-of-user-interaction apparatus 101) isunable to identify itself to the customer (e.g., user of mobile device102).

FIG. 6 illustrates system-level flowchart 600 for secure mobiletransaction, in accordance with some embodiments. While the blocks inflowchart 600 are shown in a particular order, the order can bemodified. For example, some blocks may be performed in parallel whilesome blocks may be performed before others. System-level flowchart 600involves interactions of point-of-user-interaction apparatus 101, mobiledevice 102, and backend 104. The operations here can be performed bysoftware, hardware, or a combination of them. At block 601,point-of-user-interaction apparatus 101 and/or mobile device 102 waitsfor T1 time (e.g., 2 seconds) for tap by mobile device 102 topoint-of-user-interaction apparatus 101 (also referred here generally asa merchant terminal). At block 602, point-of-user-interaction apparatus101 and/or mobile device 102 changes its internal state variable todetermine whether after waiting for T1 time, mobile device 102 tappedpoint-of-user-interaction apparatus 101. If no such tap happened, theprocess proceeds to block 604, otherwise the process proceeds to block603. At block 604, point-of-user-interaction apparatus 101 and/or mobiledevice 102 determines whether its internal state variable is valid. Ifthe internal state is invalid state, the process proceeds to block 606,otherwise the process proceeds to block 601 where the system continuesto wait for a tap. At block 606, secure element 521 b (or add-on 101 b)is reset and the process proceeds to block 601. This allowspoint-of-user-interaction apparatus 101 to reestablish its function forsecure element 521 b or add-on 101 b. At block 603, after it isdetermined that a proper tap was detected between mobile device 102 andpoint-of-user-interaction apparatus 101, the first and secondauthentication information are procured and provided to backend 104 fordecryption or decoding.

For example, mobile device 102 receives the first authenticationinformation (TID Token2 and TID Key1) from point-of-user-interactionapparatus 101 (or secure element 501 b). Likewise,point-of-user-interaction apparatus 101 transmits the secondauthentication information (e.g., TID Token1 and TID Key2) to backend104. In addition to providing the first and second information tobackend 104, User ID is provided by mobile device 102 topoint-of-user-interaction apparatus 101 while point-of-user-interactionapparatus 101 provides Matcher ID and Merchant ID to mobile device 102.In various embodiments, point-of-user-interaction apparatus 101 providesthe Matcher ID and the User ID to backend 104. In various embodiments,mobile device 102 provides Matcher ID and Merchant ID to backend 104.This exchange of information between mobile device 102 andpoint-of-user-interaction apparatus 101 allows backend 104 to ascertainthat a physical use of mobile device 102 is recognized and a securetransaction is enabled between mobile device 102 andpoint-of-user-interaction apparatus 101. The exchange of information andreception of that information by backend 104 is illustrated by block605. The process then continued to wait for a next tap between anymobile device and point-of-user-interaction apparatus 101.

FIG. 7 illustrates point-of-user-interaction apparatus 700 (e.g., 101)with software and hardware for secure mobile transaction, in accordancewith some embodiments. In some embodiments, point-of-user-interactionapparatus 700 includes processor 750, memory 710, display controller752, touch sensitive display device 754, Bluetooth (BT) radio 758, WiFiradio 760, GPS radio 762, cellular radio 764, audio circuits 766 (e.g.,speaker 766 a and Mic 766 b), camera 768, accelerometer 770, secureelement 772, near-field communications (NFC) radio 774, and credit cardterminal 778. In some embodiments, point-of-user-interaction apparatus700 may be any type of device that includes all or some of thecomponents shown. For example, in some embodiments,point-of-user-interaction apparatus 700 may be a cell phone, asmartphone, a tablet computer, a laptop computer, a dedicated merchantterminal, a point-of-sale terminal, etc. In various embodiments, theradios discussed herein have associated antennas. In some embodiments,the antenna may comprise one or more directional or omnidirectionalantennas, including monopole antennas, dipole antennas, loop antennas,patch antennas, microstrip antennas, coplanar wave antennas, or othertypes of antennas suitable for transmission of Radio Frequency (RF)signals. In some multiple-input multiple-output (MIMO) embodiments, theantennas are separated to take advantage of spatial diversity.

In some embodiments, processor 750 may be any type of processor capableof executing instructions stored in memory 710 and capable ofinterfacing with the various components shown in FIG. 2 . For example,processor 750 may be a microprocessor, a digital signal processor, anapplication specific processor, or the like. In some embodiments,processor 750 is a component within a larger integrated circuit such asa system on chip (SOC) application specific integrated circuit (ASIC).In some embodiments, processor 750 may include integrated firstcontroller 521 b and second controller 521 a. In some embodiments,processor 750 represents to separate controllers—first controller 521 band second controller 521 a.

Display controller 752 provides an interface between processor 750 andtouch sensitive display device 754 (e.g., 101 a). In some embodiments,display controller 752 is integrated within processor 750, and in otherembodiments, display controller 752 is integrated within touch sensitivedisplay device 754.

Touch sensitive display device 754 is a display device that includes atouch sensitive surface, sensor, or set of sensors that accept inputfrom a user. For example, touch sensitive display device 754 may detectwhen and where an object touches the screen, and may also detectmovement of an object across the screen. When touch sensitive displaydevice 754 detects input, display controller 752 and processor 750 (inassociation with user interface component 721) determine the appropriateresponse. For example, in response to user input, applications may bestarted, icons may be moved, or fast pay application may be started forsecure payment transaction.

Touch sensitive display device 754 may be manufactured using anyapplicable display technologies, including for example, liquid crystaldisplay (LCD), active-matrix organic light emitting diode (AMOLED), andthe like. Further, touch sensitive display device 754 may bemanufactured using any application touch sensitive input technologies,including for example, capacitive and resistive touch screentechnologies, as well as other proximity sensor technologies.

Bluetooth radio 758 is a type of non-near-field radio capable ofcommunicating on a frequency between 2.402 GHz and 2.480 GHz. Bluetoothis an example of a non-near-field protocol because the wavelength is onthe order of 4.5 inches and the intended communication distance istypically much greater than 4.5 inches. Bluetooth radio 758 cancommunicate on a personal-area network (PAN) with other Bluetoothdevices on the personal-area network. In some embodiments Bluetoothradio 758 is omitted.

WiFi radio 760 may be any type of radio capable of communicating over awireless network. Examples include radios that are compatible with oneor more of the Institute of Electrical and Electronics Engineers (IEEE)802.11 standards. In some embodiments, WiFi radio 760 is omitted. Insome embodiments, point-of-user-interaction apparatus 700 uses WiFiradio 760 to communicate with backend 104 and/or mobile device 102.

GPS radio 762 includes a global positioning system (GPS) receivercapable of determining the present location (e.g., latitude andlongitude) of point-of-user-interaction apparatus 700. In someembodiments, GPS radio 762 is used to provide location information tocommunicate with backend 104. Cellular radio 764 may be any type ofradio that can communicate within a cellular network. Examples include,but are not limited to, radios that communicate using orthogonalfrequency division multiplexing (OFDM), code division multiple access(CDMA), time division multiple access (TDMA), and the like. Cellularradio 764 may operate at any frequency or combination of frequencieswithout departing from the scope of the present invention. In someembodiments, cellular radio 764 is omitted. In some embodiments,point-of-user-interaction apparatus 700 uses cellular radio 764 tocommunicate with backend 104. In some embodiments,point-of-user-interaction apparatus 700 uses a wired communication meansto communicate with backend 104. For example, point-of-user-interactionapparatus 700 uses an ethernet cable to communicate with backend 104. Invarious embodiments, audio circuits 766 provide an interface betweenprocessor 750 and audio devices such as speaker 766 a and microphone mic766 b.

Camera 768 may be any camera suitable for use in a mobile device. Forexample, camera 768 may include a CMOS sensor with optics or any othertype of image capture device at any resolution. Camera 768 may beoperated by a camera software application (not shown). Accelerometer 770detects motion of point-of-user-interaction apparatus 700 and may beused by any software application.

In some embodiments, secure element 772 (e.g., secure element 501 b)provides secure information storage. In some embodiments, secure element772 is a smartcard compatible secure element commonly found in creditcard applications and/or security applications. NFC radio 774 providesnear-field communications capability between point-of-user-interactionapparatus 700 and other devices nearby (e.g., mobile device 102). Insome embodiments, NFC radio 774 may operate at 13.56 megahertz, althoughthis is not a limitation of the present invention. In some embodiments,point-of-user-interaction apparatus 700 uses NFC radio 274 tocommunicate with mobile device 102.

In some embodiments, secure element 772 is combined with NFC radio 774in a single integrated circuit such as a smartcard controller. In otherembodiments, secure element 772, or a combination of secure element 772and NFC radio 774 are integrated into another semiconductor device suchas processor 750. In some embodiments, secure element 772 includesapplets, keys and digital certificates. Digital certificates are used tovalidate the identity of a certificate holder. Certificate authoritiestypically issue digital certificates. In some embodiments, the securetransaction system makes available one or more of applets, keys, and/ordigital certificates to create a trusted relationship with mobile device102 to authenticate or valid the transaction.

Examples of smart card controllers that combine secure element 772 withNFC radio 774 are the “SmartMX” controllers sold by NXP SemiconductorsN.V. of Eindhoven, The Netherlands. In some embodiments, secure element772 has an ISO/IEC 7816 compatible interface that communicates withother components within point-of-user-interaction apparatus 700 (e.g.,processor 750), although this is not a limitation of the presentinvention. Further, in some embodiments, NFC radio 774 has an ISO/IEC14443 contactless interface.

Point-of-user-interaction apparatus 700 may include many other circuitsand services that are not specifically shown in FIG. 2 . For example, insome embodiments, point-of-user-interaction apparatus 700 may include anadditional camera, haptic feedback devices, and the like. Any numberand/or type of circuits and services may be included withinpoint-of-user-interaction apparatus 700 without departing from the scopeof the various embodiments.

Memory 710 may include any type of memory device. For example, memory710 may include volatile memory such as static random-access memory(SRAM), or nonvolatile memory such as FLASH memory. Memory 710 isencoded with (or has stored therein) one or more software modules (orsets of instructions), that when accessed by processor 750, result inprocessor 750 performing various functions. In some embodiments, thesoftware modules stored in memory 710 may include an operating system(OS) 720 and applications 730. Applications 730 may include any numberor type of applications. Examples provided in FIG. 2 include acommunication application 731, a menu 732, a print application 733, anemail application 734, and a fast pay or secure transaction application735. Memory 710 may also include any amount of space dedicated to datastorage 740.

Operating system 720 may be a mobile device operating system such as anoperating system to control a mobile phone, smartphone, tablet computer,laptop computer, or the like. As shown in FIG. 2 , operating system 720includes user interface component 721. Operating system 720 may includemany other components without departing from the scope of the presentinvention.

User interface component 721 includes processor instructions that causepoint-of-user-interaction apparatus 700 to display content on touchsensitive display device 754, recognize user input, and to provide theuser input to applications. User interface component 721 also includesinstructions to display menus, move icons, and manage other portions ofthe display environment.

Communication application 731 may be an application that controls acellular radio 764 and/or other radios. Menu application 732 includessoftware that organizes a list of offerings. For example, menuapplication 732 may include a list of items for sale wherepoint-of-user-interaction apparatus 700 is being employed. Printerapplication 733 may be a software application that prints files ordocuments that are stored in data store 740. Email application 734 maybe a software application to send and receive electronic mail.

Fast pay or secure transaction application 735 may be a softwareapplication that communicates with a banking service to allow bankingfunctions such as balance inquiries, funds transfers, bill payment andthe like. Fast pay or secure transaction application 735 may be adownloaded “thick” application, or may be a “thin” application that usesinternet browser functionality. Other application examples includeapplications that store an identity such as a passport or a buildingaccess identity.

In some embodiments, Fast Pay or secure transaction application 735includes processor instructions that allow point-of-user-interactionapparatus 700 to process payments from mobile devices. For example, fastpay or secure transaction application 735 may include processorinstructions that handle access to one or more payment instruments suchas credit cards, debit cards, and pre-paid cards. In some embodiments,fast pay or secure transaction application 735 communicates withsmartcard secure element 772 and/or NFC radio 774 withinpoint-of-user-interaction apparatus 700. For example, fast pay or securetransaction 735 may store and access payment identities in smartcardsecure element 772 and allow proximity payments using NFC radio 774.

Each of the above-identified applications correspond to a set ofinstructions for performing one or more functions described above. Theseapplications (sets of instructions) need not be implemented as separatesoftware programs, procedures or modules, and thus various subsets ofthese applications may be combined or otherwise re-arranged in variousembodiments. For example, communication application 731 may be combinedwith email application 734. Furthermore, memory 710 may store additionalapplications (e.g., video players, camera applications, etc.) and datastructures not described above.

It should be noted that point-of-user-interaction apparatus 700 ispresented as an example of a merchant terminal device, and thatpoint-of-user-interaction apparatus 700 may have more or fewercomponents than shown, may combine two or more components, or may have adifferent configuration or arrangement of components. For example,point-of-user-interaction apparatus 700 may include many more componentssuch as sensors (optical, touch, proximity etc.), or any othercomponents suitable for use in a point-of-sale merchant terminal, avoting machine, etc.

FIG. 8 illustrates flowchart 800 of a method performed bypoint-of-user-interaction apparatus 101 for secure mobile transaction,in accordance with some embodiments. While the various blocks are shownin a particular order, the order can be modified. For example, someblocks may be performed in parallel while some blocks may be performedbefore others. The various blocks here can be performed by software,hardware, or a combination of them.

At block 802, point-of-user-interaction apparatus 101 transmits (e.g.,wirelessly) a communication message to mobile device 102, wherein thecommunication message is stored in a memory, wherein the memory iscommunicatively coupled to a processor circuitry. In some embodiments,the communication message comprises a near-field communication (NFC)data exchange format (NDEF) tag. At block 804, point-of-user-interactionapparatus 101 generates the first authentication information (e.g., TIDToken2 and TID Key1) and the second authentication information (e.g.,TID Token1 and TID Key2). At block 806, point-of-user-interactionapparatus 101 transmits the first authentication information to mobiledevice 102. At block 808, point-of-user-interaction apparatus 101transmits the second authentication information to backend 104. At block810, point-of-user-interaction apparatus 101 displays an application tocommunicate with a user of mobile device 102. In some embodiments,point-of-user-interaction apparatus 101 instructs at least one or moreinterfaces to transmit the first authentication information to mobiledevice 102. In some embodiments, point-of-user-interaction apparatus 101instructs at least one or more interfaces to transmit the secondauthentication information to backend 104. As discussed herein, backend104 authenticates a transaction between point-of-user-interactionapparatus 101 and mobile device 101 via the first authenticationinformation and the second authentication information.

At block 812, point-of-user-interaction apparatus 101 sends a uniqueidentification (e.g., Merchant ID) to backend 104. As discussed herein,an exchange of IDs takes place originating from mobile device 102 andpoint-of-user-interaction apparatus 101 to verify the transaction andthe tap.

In some embodiments, the method comprises modifying the communicationmessage. For example, the NFC tag can be modified. In some embodiments,the method further comprises generating a first identification (e.g.,Matcher ID or matcher token). In some embodiments,point-of-user-interaction apparatus 101 directly provides the firstidentification to backend 104. In some embodiments,point-of-user-interaction apparatus 101 generates a first identification(e.g., matcher token), wherein the first identification is used to matchthe first authentication information with the second authenticationinformation. In some embodiments, the first identification istransmitted by point-of-user-interaction apparatus 101 to mobile device102. In various embodiments, mobile device 102 provides the firstidentification to backend 104.

In various embodiments, there is an exchange of identifications betweenmobile device 102 and point-of-user-interaction apparatus 101 to furthersecure the transaction between mobile device 102 andpoint-of-user-interaction apparatus 101 caused by a tap. For example,mobile device 102 generates a second identification (e.g., customer ID(also referred to as user ID)) which is a unique identification. Invarious embodiments, the first identification is provided to computingdevice 104 (e.g., backend 104) via mobile device 102. The secondidentification is provided to backend device 102 viapoint-of-user-interaction apparatus 101, in accordance with someembodiments. The second identification is used to identify mobile device102 to point-of-user-interaction apparatus 101. In some embodiments,point-of-user-interaction apparatus 101 generates a secondidentification (e.g., merchant ID) which is a unique identification. Invarious embodiments, the first identification is provided to computingdevice 104 (e.g., backend 104) via point-of-user interaction apparatus101. The second identification is provided to backend device 104 viamobile device 102. The second identification is used to identify themobile device to the point-of-user-interaction apparatus.

Continuing with this example, which can be modified to use other formsof IDs, the second identification generated by mobile device 102 can beprovided to backend 104 via point-of-user-interaction apparatus 101. Thesecond identification (herein also referred to as a thirdidentification) is generated by point-of-user-interaction apparatus 101is provided to backend 104 via mobile device 102. As such, backenddevice 104 receives the second identifications (also referred to as thesecond and third identifications) from two different sources and via twodifferent paths. The second identifications (also referred to as thesecond and third identifications) can be a user ID, merchant ID, orother forms of IDs (such as encrypted IDs). The second and thirdidentifications are usually the same IDs but can be different too. Forexample, the third identification is an encrypted form of the secondidentification or vice versa. The encryption can take place on anysuitable device. For example, the place where the ID resides and/ororiginates is where the ID can be encrypted. In another example, adevice transmitting the ID may encrypt the ID for subsequenttransmission. The second identifications, in one example, is used toidentify the parties involved in the transaction. This exchange ofsecond identifications in such manner further provides a secureauthentication mechanism to authenticate the transaction upon the tap.The exchange of second identifications may occur via any suitable meanssuch as application programmable interfaces (APIs), NFC communication,wireless or wired means. By exchange of the second identifications,backend 104 can authenticate the transaction and/or the tap, inaccordance with various embodiments.

At block 814, point-of-user-interaction apparatus 101 receives anotification of a valid transaction between mobile device and thepoint-of-user-interaction apparatus after the computing deviceauthenticates the transaction.

FIG. 9 illustrates a computing device or a backend server 900 (or hereinbackend 104) for authenticating the transaction between the mobiledevice and the point-of-user-interaction apparatus, in accordance withsome embodiments. In some embodiments, backend server 900 comprisessystem-on-chip (SoC) 901, memory 902, communication interfaces 903, andinterconnect network 904. In some embodiments, database 106 is part ofmemory 902 or a separate memory. In some embodiments, SoC 901 comprisesone or more processors, memory, communication interface, voltageregulator(s), etc. Each processor may include one or more processorcores to execute the instructions.

In some embodiments, backend server 900 comprises a first communicationinterface to allow SoC 901 to communicate with mobile device 102. Insome embodiments, the first communication interface receives a firstauthentication (TID Token2 and TID Key1) information from mobile device102. In some embodiments, backend server 900 comprises a secondcommunication interface to allow SoC 901 to communicate withpoint-of-user-interaction apparatus 101. In some embodiments, the secondcommunication interface receives a second authentication information(TID Token1 and TID Key2) from point-of-user-interaction apparatus 101.In some embodiments, SoC 901 authenticates a transaction between mobiledevice 102 and point-of-user-interaction apparatus 101 by application ofthe first authentication information and the second authenticationinformation.

In various embodiments, backend 104 receives a first identification(e.g., Matcher ID). In some embodiments, point-of-user-interactionapparatus 101 directly provides the first identification to backend 104.In various embodiments, the first identification is used to match thefirst authentication information with the second authenticationinformation. In some embodiments, backend 104 also receives a secondidentification (e.g., User ID) which is a unique identification.Continuing with this example, which can be modified to use other formsof IDs, the second identification generated by mobile device 102 can beprovided to the backend 104 via point-of-user-interaction apparatus 101,and the second identification generated by point-of-user-interactionapparatus 101 is provided to backend 104 via mobile device 102. As such,backend 104 receives the second identifications from two differentsources and via two different paths. The second identifications can be auser ID, merchant ID, or other forms of IDs. The second identifications,in one example, is used to identify the parties involved in thetransaction. This exchange of second identifications in such mannerfurther provides a secure authentication mechanism to authenticate thetransaction upon the tap. The exchange of second identifications mayoccur via any suitable means such as application programmable interfaces(APIs), NFC communication, wireless or wired means. By exchange of thesecond identifications, backend 104 can authenticate the transaction, inaccordance with various embodiments.

As such, fake transaction or fraudulent transactions of credit cardpayments or online payments can be tracked. In some embodiments, SoC 901notifies mobile device 102 of the validity of the transaction via thefirst communication interface. In some embodiments, SoC 901 notifiespoint-of-user-interaction apparatus 101 of the validity of thetransaction via the second communication interface. In some embodiments,the first communication interface comprises a wireless interface. Insome embodiments, the second communication interface comprises a networkinterface.

FIG. 10 illustrates flowchart 1000 of a method performed by thecomputing device or the backend server (e.g., backend 104) forauthenticating the transaction between the mobile device and thepoint-of-user-interaction apparatus, in accordance with someembodiments. While the various blocks are shown in a particular order,the order can be modified. For example, some blocks may be performed inparallel. The various blocks here can be performed by software,hardware, or a combination of them.

At block 1002, backend 104 receives the first authentication information(TID Token2 and TID Key1) from mobile device 102. At block 1004, backend104 receives the second authentication information (TID Token1 and TIDKey2) from point-of-user-interaction apparatus 101. At block 1006,backend 104 authenticates a transaction between mobile device 102 andfrom point-of-user-interaction apparatus 101.

At block 1008, backend 104 receives identifications frompoint-of-user-interaction apparatus 101 and mobile device 102. Asdiscussed herein, an exchange of IDs takes place originating from mobiledevice 102 and point-of-user-interaction apparatus 101 to verify thetransaction and the tap.

In some embodiments, the method comprises receiving a firstidentification (e.g., Matcher ID) from mobile device 102. The firstidentification is used to match the first authentication informationwith the second authentication information. In some embodiments, themethod further comprises receiving a second identification (e.g., UserID) which is a unique identification from point-of-user-interactionapparatus. In some embodiments, backend 104 receives the secondidentification via point-of-user-interaction apparatus 101, which getsit from mobile device 102. The second identification is used to identifymobile device 102 to point-of-user-interaction apparatus 101.

Continuing with this example, which can be modified to use other formsof IDs, the second identification generated by mobile device 102 can beprovided to backend 104 via point-of-user-interaction apparatus 101. Thesecond identification (herein also referred to as a thirdidentification) is generated by point-of-user-interaction apparatus 101is provided to backend 104 via mobile device 102. As such, backenddevice 104 receives the second identifications (also referred to as thesecond and third identifications) from two different sources and via twodifferent paths. The second identifications (also referred to as thesecond and third identifications) can be a user ID, merchant ID, orother forms of IDs (such as encrypted IDs). The second and thirdidentifications are usually the same IDs but can be different too. Forexample, the third identification is an encrypted form of the secondidentification or vice versa. The encryption can take place on anysuitable device. For example, the place where the ID resides and/ororiginates is where the ID can be encrypted. In another example, adevice transmitting the ID may encrypt the ID for subsequenttransmission. The second identifications, in one example, is used toidentify the parties involved in the transaction. This exchange ofsecond identifications in such manner further provides a secureauthentication mechanism to authenticate the transaction upon the tap.The exchange of second identifications may occur via any suitable meanssuch as application programmable interfaces (APIs), NFC communication,wireless or wired means. By exchange of the second identifications,backend 104 can authenticate the transaction and/or the tap, inaccordance with various embodiments.

At block 1010, backend 104 notifies mobile device 102 and frompoint-of-user-interaction apparatus 101 about a validity of thetransaction.

FIG. 11 illustrates another system-level flowchart 1100 for securemobile transaction, in accordance with some embodiments. While thevarious blocks are shown in a particular order, the order can bemodified. For example, some blocks may be performed in parallel. Thevarious blocks here can be performed by software, hardware, or acombination of them. System-level flowchart 1100 shows the transactioncycle and the various events to complete a secure transaction betweenmobile device 102 and point-of-user-interaction apparatus 101. At block1101, the system polls to a tap between mobile device 102 andpoint-of-user-interaction apparatus 101. This process is like theprocess described in block 601 of FIG. 6 . Referring to FIG. 11 , atblock 1102, a customer or user of mobile device 102 tapspoint-of-user-interaction apparatus 101. When the tap is registered, anumber of events occur as illustrated in block 1103. For example, userID (UID) from mobile device 102 is received by backend 104 viapoint-of-user-interaction apparatus 101 and written to persistent memory(e.g., database 106 or memory 902). At block 1103,point-of-user-interaction apparatus 101 randomly generates matcher ID ormatcher token (MT), transaction ID (TID), key 1, and encrypted key 2. Invarious embodiments, key 1 is used to encrypt TID. In some embodiments,the TID is encrypted twice—once with each key. As such, there are twoencrypted tokens TID1 and TID2. In various embodiments, MT, TID2, andKey 1 are provided to backend 104 via mobile device 102, and are writtento persistent memory (e.g., database 106 or memory 902). Any suitablescheme for encryption may be used to encrypt the tokens.

In various embodiments, TID1 and Key2 are provided to backend 104 viapoint-of-user-interaction apparatus 101 and are written to arandom-access memory or the persistent memory. In addition to TID1 andKey2, backend 104 also receives UID of mobile device 102 viapoint-of-user-interaction apparatus 101. The information received bybackend 104 via mobile device 102 and point-of-user-interactionapparatus 101 is used to authenticate the transaction that was initiatedby the tap. At block 1104, backend 104 authenticates the transaction bydecrypting TID1 and TID2 with their respective keys, and transmits theMT, TID1, MID, and Key2 to mobile device 102. In some embodiments, inblock 1102, mobile device 102 sends a command containing the user ID.Then the actions described in 1103 are executed within thepoint-of-user-interaction apparatus 101 (specifically within the secureelement 501 b), in accordance with some embodiments. Then the secureelement 501 b issues a response command to the command issued by mobiledevice 102. This response command contains the information described inblock 1104. In some embodiments, point-of-user-interaction apparatus 101(also referred to as merchant terminal 101 a) waits or polls. Forexample, merchant terminal 501 a polls via, for example, ISO7816 contactinterface to check the status of secure element 501 b to determinewhether a customer (e.g., mobile device 102) has tapped. If a customertapped, the process proceeds to block 1105. At block 1105,point-of-user-interaction apparatus 101 gets the MT, TID2, Key1, UID,and writes the next MID, and process continues.

FIG. 12 illustrates system-level flowchart 1200 for secure transactionat a restaurant or a service center, in accordance with someembodiments. While the various blocks are shown in a particular order,the order can be modified. For example, some blocks may be performed inparallel while some blocks may be performed before others. The variousblocks here can be performed by software, hardware, or a combination ofthem. At block 1201, a customer enters a restaurant and taps mobiledevice 102 (also referred to as a customer device or user device) to apoint-of-user-interaction apparatus 101. This may happen even when nofinancial transaction is made because the customer has not bought orordered anything from the restaurant. This first tap is to register thecustomer with the restaurant so that the customer can be billed later.

At block 1202, customer seats and selects items from a menu. The menucan be an online menu or a physical menu. At block 1203, after eating orbuying the products, customer taps point-of-user-interaction apparatus101 or similar apparatus which is communicatively coupled topoint-of-user-interaction apparatus 101. This is the second tap. Uponthe second tap, the process proceeds to blocks 1205 and 1206 wherepoint-of-user-interaction apparatus 101 sends the first authenticationinformation to mobile device 102 and sends the second authenticationinformation to backend 104. At block 1207, mobile device 102 sends thefirst authentication information to backend 104.

In various embodiments, as indicated with reference to block 1208, thereis an exchange of identifications (IDs) between mobile device 102 andpoint-of-user-interaction apparatus 101 to further secure thetransaction between mobile device 102 and point-of-user-interactionapparatus 101 caused by a tap. Each party (e.g., mobile device 102 andpoint-of-user-interaction apparatus 101) transmits the other party'sidentification (ID) to backend 104. As such, backend 104 canauthenticate the transaction and the parties involved in thattransaction, for example.

In one instance, a first identification (e.g., matcher token) generatedby point-of-user-interaction apparatus 101 is provided to mobile device102, which in turn provides the first identification to backend 104. Insome embodiments, point-of-user-interaction apparatus 101 directlyprovides the first identification to backend 104. Likewise, mobiledevice 102 generates a second identification (e.g., customer ID) andprovides it to point-of-user-interaction apparatus 101, which in turnprovides the second identification to backend 104. Continuing with thisexample, which can be modified to use other forms of IDs, the secondidentification generated by mobile device 102 can be provided to thebackend 104 via point-of-user-interaction apparatus 101, and the secondidentification generated by point-of-user-interaction apparatus 101 isprovided to backend 104 via mobile device 102. As such, backend 104receives the second identifications from two different sources and viatwo different paths. The second identifications can be a user ID,merchant ID, or other forms of IDs. The second identifications, in oneexample, is used to identify the parties involved in the transaction.This exchange of second identifications in such manner further providesa secure authentication mechanism to authenticate the transaction uponthe tap. The exchange of second identifications may occur via anysuitable means such as application programmable interfaces (APIs), NFCcommunication, wireless or wired means. By exchange of the secondidentifications, backend 104 can authenticate the transaction, inaccordance with various embodiments.

At block 1209, mobile device 102 and point-of-user-interaction apparatus101 receive notification about the validity of the transaction thatstarted with the first tap and ended with the second tap. Once thetransaction is deemed valid, customer leaves as indicated by block 1210.

The various flowcharts discussed herein can be part of a programsoftware code. Program software code/instructions associated withvarious embodiments may be implemented as part of an operating system ora specific application, component, program, object, module, routine, orother sequence of instructions or organization of sequences ofinstructions referred to as “program software code/instructions,”“operating system program software code/instructions,” “applicationprogram software code/instructions,” or simply “software” or firmwareembedded in processor. In some embodiments, the program softwarecode/instructions associated with processes of various embodiments areexecuted by a processor system.

In some embodiments, the program software code/instructions associatedwith various embodiments are stored in a computer executable storagemedium and executed by a processor. Here, computer executable storagemedium is a tangible machine-readable medium that can be used to storeprogram software code/instructions and data that, when executed by acomputing device, causes one or more processors to perform a process.

The tangible machine-readable medium may include storage of theexecutable software program code/instructions and data in varioustangible locations, including for example ROM, volatile RAM,non-volatile memory and/or cache and/or other tangible memory asreferenced in the present application. Portions of this program softwarecode/instructions and/or data may be stored in any one of these storageand memory devices. In some embodiments, the program softwarecode/instructions can be obtained from other storage, including, e.g.,through centralized servers or peer to peer networks and the like,including the Internet. Different portions of the software programcode/instructions and data can be obtained at different times and indifferent communication sessions or in the same communication session.

The software program code/instructions associated with the variousembodiments can be obtained in their entirety prior to the execution ofa respective software program or application. Alternatively, portions ofthe software program code/instructions and data can be obtaineddynamically, e.g., just in time, when needed for execution.Alternatively, some combination of these ways of obtaining the softwareprogram code/instructions and data may occur, e.g., for differentapplications, components, programs, objects, modules, routines or othersequences of instructions or organization of sequences of instructions,by way of example. Thus, it is not required that the data andinstructions be on a tangible machine-readable medium in entirety at aparticular instance of time.

Examples of tangible computer-readable media include but are not limitedto recordable and non-recordable type media such as volatile andnon-volatile memory devices, read only memory (ROM), random accessmemory (RAM), flash memory devices, floppy and other removable disks,magnetic storage media, optical storage media (e.g., Compact DiskRead-Only Memory (CD ROMS), Digital Versatile Disks (DVDs), etc.), amongothers. The software program code/instructions may be temporarily storedin digital tangible communication links while implementing electrical,optical, acoustical, or other forms of propagating signals, such ascarrier waves, infrared signals, digital signals, etc. through suchtangible communication links.

The term “device” may generally refer to an apparatus according to thecontext of the usage of that term. For example, a device may refer to astack of layers or structures, a single structure or layer, a connectionof various structures having active and/or passive elements, etc.Generally, a device is a three-dimensional structure with a plane alongthe x-y direction and a height along the z direction of an x-y-zCartesian coordinate system. The plane of the device may also be theplane of an apparatus, which comprises the device.

Throughout the specification, and in the claims, the term “connected”may generally refer to a direct connection, such as electrical,mechanical, or magnetic connection between the things that areconnected, without any intermediary devices.

The term “coupled” may generally refer a direct or indirect connection,such as a direct electrical, mechanical, or magnetic connection betweenthe things that are connected or an indirect connection, through one ormore passive or active intermediary devices.

The term “adjacent” here may generally refer to a position of a thingbeing next to (e.g., immediately next to or close to with one or morethings between them) or adjoining another thing (e.g., abutting it).

The term “circuit” or “module” may generally refer to one or morepassive and/or active components that are arranged to cooperate with oneanother to provide a desired function. A module may also refer to one ormore blocks of software code that perform one or more functions.

The term “signal” may generally refer to at least one current signal,voltage signal, magnetic signal, or data/clock signal. The meaning of“a,” “an,” and “the” include plural references. The meaning of “in”includes “in” and “on.”

Here, the term “analog signal” may generally refer to any continuoussignal for which the time varying feature (variable) of the signal is arepresentation of some other time varying quantity, i.e., analogous toanother time varying signal.

Here, the term “digital signal” may generally refer to a physical signalthat is a representation of a sequence of discrete values (a quantifieddiscrete-time signal), for example of an arbitrary bit stream, or of adigitized (sampled and analog-digital converted) analog signal.

The terms “substantially,” “close,” “approximately,” “near,” and“about,” may generally refer to being within +/−10% of a target value.For example, unless otherwise specified in the explicit context of theiruse, the terms “substantially equal,” “about equal” and “approximatelyequal” mean that there is no more than incidental variation betweenamong things so described. In the art, such variation is typically nomore than +/−10% of a predetermined target value.

Unless otherwise specified the use of the ordinal adjectives “first,”“second,” and “third,” etc., to describe a common object, merelyindicate that different instances of like objects are being referred to,and are not intended to imply that the objects so described must be in agiven sequence, either temporally, spatially, in ranking or in any othermanner.

For the purposes of the present disclosure, phrases “A and/or B” and “Aor B” mean (A), (B), or (A and B). For the purposes of the presentdisclosure, the phrase “A, B, and/or C” means (A), (B), (C), (A and B),(A and C), (B and C), or (A, B and C).

Here the term “mobile device” or an “interacting device” may generallyrefer to a smart device that can execute one or more software. A mobiledevice or an interacting device may be any device capable ofcommunicating over a communication interface (e.g., a radio, Near-fieldCommunication (NFC), Bluetooth, cellular, wired means such as UniversalSerial Bus (USB), etc.). Examples of the mobile device include a smartphone, a tablet, a watch, or other wearable devices.

As used herein, the term “near-field” or “Near-field Communication(NFC)” may generally refer to communication protocols and compatibleradios in which the maximum intended communication distance is less thanthe wavelength of the radio wave used for that communication. ISO 14443(NFC) is an example of near-field because the wavelength is on the orderof 870 inches and the intended communication distance is only a fewinches. All communications protocols and compatible radios that are notnear-field are referred to herein as “non-near-field.” An example of anon-near-field protocol is BLUETOOTH′ because the wavelength is on theorder of 4.5 inches and the intended communication distance is typicallymuch greater than 4.5 inches. The use of the term “non-near-field radio”is not meant to imply that the distance of communication cannot be lessthan the wavelength for the non-near-field radio.

Here the term “tap” may generally refer to an action that brings onedevice close enough to another device to engage a communication protocol(e.g., an NFC communication). The two devices may be in direct contactwith one other or substantially close to trigger a communication betweenthe two devices. The communication may be one way or bidirectional.

The term “transaction” as used herein may generally refer to the processof accepting and/or operating on a point-of-sale transaction. Forexample, a transaction may include tallying votes on a validated ballot,or the acceptance of a point-of-sale operation, acceptance of ane-commerce deal, signing a digital and/or physical document, registeringwith an organization, attendance verification, security verification atan office, airport, or any point of entry or exit, etc.

The terms “Transaction ID” or “TID” may generally refer to software orhardware based identifier which includes a token and a correspondingkey.

The terms “TID Token” (e.g., TID Token1 and TID Token2) may generallyrefer to a software or hardware based variable-length format ofinformation associated with the transaction described herein. A TIDtoken may comprise a key value and a control information in a datasection of that information. For example, a TID Token may comprise of aheader that defines the type of token and security algorithm used; apayload that contains user information and metadata such as tokenduration and time of creation; and a signature to verify the sender'sidentity and the message's authenticity. A TID Token may be an assertionof a user's identity.

The terms “TID Key” (e.g., TID Key1 and TID Key2) may generally refer toa software or hardware set of bits that are used to decrypt or encrypt atoken. For example, TID Key1 may be used to encrypt and decrypt TIDToken1.

The terms “Matcher”, “Matcher ID” or “Matcher Token” or “MT” maygenerally refer to a unique identifier (e.g., a 16-byte identifier) usedto pair transaction receipts so that the transaction receipts may beused to decrypt each other's TIDs. A Matcher may be similar to a TID butis not encrypted in some examples.

The terms “User ID”, “UID”, “Customer ID”, or “CID” may generally referto a unique identification for a user device such as a mobile device. Anexample of a User ID may be a media access control address (MAC address)or serial number assigned by the Original Equipment Manufacturer (OEM).

The terms “Merchant ID” or “MID” may generally refer to a uniqueidentification for a merchant device such as a point-of-user-interactionterminal or point-of-sale equipment. An example of a Merchant ID may bea media access control address (MAC address) or serial number assignedby the Original Equipment Manufacturer (OEM).

The term “security element” or “secure element” may generally refer to apoint-of-user-interaction module that provides secure informationstorage. Secure element may include an NFC radio and a controller. Thesecure element may include one or more interfaces. For example, thesecure element may include an NFC radio with an enhancement circuit orcontroller with a secure function that includes applets, keys, ordigital certificates to validate an identity of a certificate holder.Secure element may have ability to communicate with a user device (e.g.,a mobile device) and a merchant terminal.

Reference in the specification to “an embodiment,” “one embodiment,”“some embodiments,” or “other embodiments” means that a particularfeature, structure, or characteristic described in connection with theembodiments is included in at least some embodiments, but notnecessarily all embodiments. The various appearances of “an embodiment,”“one embodiment,” or “some embodiments” are not necessarily allreferring to the same embodiments. If the specification states acomponent, feature, structure, or characteristic “may,” “might,” or“could” be included, that particular component, feature, structure, orcharacteristic is not required to be included. If the specification orclaim refers to “a” or “an” element, that does not mean there is onlyone of the elements. If the specification or claims refer to “anadditional” element, that does not preclude there being more than one ofthe additional elements.

Furthermore, the particular features, structures, functions, orcharacteristics may be combined in any suitable manner in one or moreembodiments. For example, a first embodiment may be combined with asecond embodiment anywhere the particular features, structures,functions, or characteristics associated with the two embodiments arenot mutually exclusive.

While the disclosure has been described in conjunction with specificembodiments thereof, many alternatives, modifications and variations ofsuch embodiments will be apparent to those of ordinary skill in the artconsidering the foregoing description. The embodiments of the disclosureare intended to embrace all such alternatives, modifications, andvariations as to fall within the broad scope of the appended claims.

Following examples are provided that illustrate the various embodiments.The examples can be combined with other examples. As such, variousembodiments can be combined with other embodiments without changing thescope of the invention. For example, example 7 can be combined withexample 3 or 2, or both.

Example 1: A mobile device comprising: an antenna to detect or read acommunication target from a point-of-user-interaction apparatus near themobile device; a reader to initiate a transmission of a command to thepoint-of-user-interaction apparatus, and to read a response from thepoint-of-user-interaction apparatus, wherein the reader coupled to theantenna; a display unit that changes its display based on the responsefrom the point-of-user-interaction apparatus and/or the communicationtarget; and a circuitry that executes instructions to receive a firstauthentication information from the point-of-user-interaction apparatus,wherein the point-of-user-interaction apparatus is to transmit a secondauthentication information to a computing device, wherein the circuitryexecutes instructions to send the first authentication information tothe computing device, wherein the computing device is to authenticate atransaction between the point-of-user-interaction apparatus and themobile device via the first authentication information and the secondauthentication information, wherein the computing device is to notifythe circuitry of a valid transaction between mobile device and thepoint-of-user-interaction apparatus after the computing deviceauthenticates the transaction.

Example 2: The mobile device of example 1, wherein the firstauthentication information includes: a first key, associated with afirst cryptographic token, from the point-of-user-interaction apparatus;and a second cryptographic token, associated with a second key, from thepoint-of-user-interaction apparatus.

Example 3: The mobile device of example 2, wherein the secondauthentication information includes the second key and the firstcryptographic token.

Example 4: The mobile device of example 1, wherein thepoint-of-user-interaction apparatus generates a first identification,wherein the first identification is used to match the firstauthentication information with the second authentication information.

Example 5: The mobile device of example 4, wherein the circuitry is togenerate a second identification which is a second uniqueidentification, wherein the second identification is provided to thecomputing device via the point-of-user-interaction apparatus, whereinthe second identification is used to identify the mobile device to thepoint-of-user-interaction apparatus.

Example 6: The mobile device of example 5, wherein thepoint-of-user-interaction apparatus is to generate a thirdidentification which is a third unique identification, wherein the thirdidentification is provided to the computing device via the mobiledevice.

Example 7: The mobile device of example 6, wherein the second uniqueidentification and same as the third unique identification, or whereinthe second unique identification and different than the third uniqueidentification.

Example 8: The mobile device of example 1, wherein the communicationtarget comprises a near-field communication (NFC) data exchange format(NDEF) target.

Example 9: The mobile device of example 1, wherein the antennacontinuously or regularly initiates a transmission and listens for aresponse from communication targets near the mobile device.

Example 10: The mobile device of example 1, wherein the transmission andthe response are near-field communications.

Example 11: The mobile device of example 1, wherein the reader comprisesa first application programmable interface to initiate the transmissionand to read the response.

Example 12: The mobile device of example 11 comprises a secondapplication programmable interface to issue a notification or ahyperlink based on the response, wherein a user interaction with thenotification or the hyperlink is to cause the display of theapplication.

Example 13: The mobile device of example 12, wherein the notification orthe hyperlink is transmitted from the communication target.

Example 14: The mobile device of example 12 comprises a camera or abiometric sensor to authenticate a user of the mobile device based on auser's interaction with the notification or the hyperlink.

Example 15: The mobile device of example 1 comprises a camera or abiometric sensor to authenticate a user of the mobile device.

Example 16: The mobile device of example 1, wherein the validtransaction is a financial transaction or wherein the valid transactionis a voting ballot cast.

Example 17: The mobile device of example 2, wherein the computing deviceis a first computing device, and wherein the point-of-user-interactionapparatus is to transmit the first cryptographic token and the secondkey to a second computing device, wherein the second computing device isto transmit the first cryptographic token and the second key to thefirst computing device.

Example 18: The mobile device of example 2, wherein the computing deviceis to decode the second cryptographic token with the second key, whereinthe computing device is to notify the circuitry of a validity of thetransaction between the mobile device and the point-of-user-interactionapparatus after the first cryptographic token and the secondcryptographic token are decoded.

Example 19: A method for secure and fast transaction between a mobiledevice and a point-of-user-interaction apparatus, the method comprising:detecting or reading a communication target from thepoint-of-user-interaction apparatus near the mobile device; initiating atransmission of a command to the point-of-user-interaction apparatus;reading a response from the point-of-user-interaction apparatus inresponse to the command; displaying an application based on the responsefrom the point-of-user-interaction apparatus and/or the communicationtarget; receiving a first authentication information from thepoint-of-user-interaction apparatus; transmitting the firstauthentication information to a computing device, wherein the computingdevice is to receive a second authentication information directly orindirectly from the point-of-user-interaction apparatus, wherein thecomputing device is to authenticate a transaction between thepoint-of-user-interaction apparatus and the mobile device via the firstauthentication information and the second authentication information;and receiving a notification, from the computing device, of a validtransaction between the mobile device and the point-of-user-interactionapparatus after the computing device authenticates the transaction.

Example 20: The method of example 19, wherein the first authenticationinformation includes: a first key, associated with a first cryptographictoken, from the point-of-user-interaction apparatus; and a secondcryptographic token, associated with a second key, from thepoint-of-user-interaction apparatus, wherein the second authenticationinformation includes the second key and the first cryptographic token.

Example 21: The method of example 19, wherein the communication targetcomprises a near-field communication (NFC) data exchange format (NDEF)target.

Example 22: The method of example 19, wherein detecting or reading thecommunication target comprises continuously or regularly listening forcommunication targets near the mobile device.

Example 23: The method of example 19, wherein the transmission and theresponse are near-field communications.

Example 24: The method of example 19, wherein reading the responsecomprises operating a first application programmable interface toinitiate the transmission and to read the response.

Example 25: The method of example 24 comprises operating a secondapplication programmable interface to issue a notification or ahyperlink based on the response, wherein a user interaction ofnotification or the hyperlink is to cause the display of theapplication, wherein the notification or the hyperlink is embedded inthe communication target, wherein the valid transaction is a financialtransaction, or a voting ballot.

Example 26: The method of example 20, comprising: transmitting the firstkey and the second cryptographic token to the computing device, whereinthe computing device is to decode the second cryptographic token withthe second key; and receiving a notification of a valid transactionbetween the mobile device and the point-of-user-interaction apparatusafter the first cryptographic token and the second cryptographic tokenare decoded.

Example 27: The method of example 19, wherein thepoint-of-user-interaction apparatus generates a first identification,wherein the first identification is used to match the firstauthentication information with the second authentication information.

Example 28: The method of example 27 comprising generating a secondidentification which is a second unique identification, wherein thesecond identification is provided to the computing device via thepoint-of-user-interaction apparatus, wherein the second identificationis used to identify the mobile device to the point-of-user-interactionapparatus.

Example 29: The method of example 28, wherein thepoint-of-user-interaction apparatus is to generate a thirdidentification which is a third unique identification, wherein the thirdidentification is provided to the computing device via the mobiledevice.

Example 30: The method of example 29, wherein the second uniqueidentification and same as the third unique identification, or whereinthe second unique identification and different than the third uniqueidentification.

Example 31: A machine-readable storage media having one or moremachine-readable instructions stored therein, that when executed, causeone or more machines to perform a method for secure and fast transactionbetween a mobile device and a point-of-user-interaction apparatus, themethod comprising: detecting or reading a communication target from thepoint-of-user-interaction apparatus near the mobile device; initiating atransmission of a command to the point-of-user-interaction apparatus;reading a response from the point-of-user-interaction apparatus inresponse to the command; displaying an application based on the responsefrom the point-of-user-interaction apparatus and/or the communicationtarget; receiving a first authentication information from thepoint-of-user-interaction apparatus; transmitting the firstauthentication information to a computing device, wherein the computingdevice is to receive a second authentication information directly orindirectly from the point-of-user-interaction apparatus, wherein thecomputing device is to authenticate a transaction between thepoint-of-user-interaction apparatus and the mobile device via the firstauthentication information and the second authentication information;and receiving a notification, from the computing device, of a validtransaction between the mobile device and the point-of-user-interactionapparatus after the computing device authenticates the transaction.

Example 32: The machine-readable storage media of example 31, whereinthe point-of-user-interaction apparatus generates a firstidentification, wherein the first identification is used to match thefirst authentication information with the second authenticationinformation.

Example 33: The machine-readable storage media of example 32 havingfurther one or more machine-readable instructions stored therein, thatwhen executed, cause the one or more machines to perform a furthermethod for secure and fast transaction between the mobile device and thepoint-of-user-interaction apparatus, the further method comprising:generating a second identification which is a second uniqueidentification, wherein the second identification is provided to thecomputing device via the point-of-user-interaction apparatus, whereinthe second identification is used to identify the mobile device to thepoint-of-user-interaction apparatus.

Example 34: The machine-readable storage media of example 33, whereinthe point-of-user-interaction apparatus is to generate a thirdidentification which is a third unique identification, wherein the thirdidentification is provided to the computing device via the mobiledevice.

Example 35: The machine-readable storage media of example 34, whereinthe second unique identification and same as the third uniqueidentification, or wherein the second unique identification anddifferent than the third unique identification.

Example 1a: A point-of-user-interaction apparatus, comprising: a memoryto store a communication message; a first controller with a securityfunction, the first controller communicatively coupled to the memory,wherein the first controller is to generate a first authenticationinformation and a second authentication information; a message circuitryto wirelessly transmit the communication message to a mobile device; oneor more interfaces to: transmit the communication message to the messagecircuitry; transmit the first authentication information, via themessage circuitry, to the mobile device, and transmit, via a networkconnection, the second authentication information to a computing device;a display unit to display an application to communicate with a user ofthe mobile device; and a second controller communicatively coupled tothe display unit; wherein the first controller is to instruct at leastone of the one or more interfaces to transmit the first authenticationinformation to the mobile device; wherein the second controller is toinstruct at least one of the one or more interfaces to transmit thesecond authentication information to the computing device, wherein thecomputing device is to authenticate a transaction between thepoint-of-user-interaction apparatus and the mobile device via the firstauthentication information and the second authentication information,and wherein the computing device is to notify the second controller of avalid transaction between mobile device and thepoint-of-user-interaction apparatus after the computing deviceauthenticates the transaction.

Example 2a: The point-of-user-interaction apparatus of example 1a,comprises a circuitry operable to modify the communication message.

Example 3a: The point-of-user-interaction apparatus of example 1a,wherein the mobile device includes: an antenna to detect or read thecommunication message from the point-of-user-interaction apparatus nearthe mobile device; a reader to initiate a transmission of a command tothe point-of-user-interaction apparatus, and to read a response from thepoint-of-user-interaction apparatus, wherein the reader is coupled tothe antenna; a display unit to display an application based on theresponse from the point-of-user-interaction apparatus and/or thecommunication message; and a circuitry to receive the firstauthentication information from the point-of-user-interaction apparatus,wherein the circuitry is to send the first authentication information tothe computing device.

Example 4a: The point-of-user-interaction apparatus of example 1a,wherein the first authentication information includes: a first key,wherein the first key is associated with a first cryptographic token;and a second cryptographic token, wherein the second cryptographic tokenis associated with a second key.

Example 5a: The point-of-user-interaction apparatus of example 4aa,wherein the second authentication information includes the second keyand the first cryptographic token.

Example 6a: The point-of-user-interaction apparatus of example 3a,wherein the first controller generates a first identification, whereinthe first identification is used to match the first authenticationinformation with the second authentication information.

Example 7a: The point-of-user-interaction apparatus of example 6a,wherein the circuitry is to generate a second identification which is asecond unique identification, wherein the second identification isprovided to the computing device via the point-of-user-interactionapparatus, wherein the second identification is used to identify themobile device to the point-of-user-interaction apparatus.

Example 8a: The point-of-user-interaction apparatus of example 7a,wherein the first controller is to generate a third identification whichis a third unique identification, wherein the third identification isprovided to the computing device via the mobile device.

Example 9a: The point-of-user-interaction apparatus example 8a, whereinthe second unique identification and same as the third uniqueidentification, or wherein the second unique identification anddifferent than the third unique identification.

Example 10a: The point-of-user-interaction apparatus of example 3a,wherein the antenna continuously or regularly listens for communicationmessages near the mobile device.

Example 11a: The point-of-user-interaction apparatus of example 1a,wherein the communication message comprises a near field communication(NFC) data exchange format (NDEF) tag.

Example 12a: The point-of-user-interaction apparatus of example 3a,wherein the transmission and the response are near field communications.

Example 13a: The point-of-user-interaction apparatus of example 3a,wherein the reader comprises a first application programmable interfaceto initiate the transmission and to read the response.

Example 14a: The point-of-user-interaction apparatus of example 13a,wherein the mobile device comprises a second application programmableinterface to issue a notification or a hyperlink based on the response,wherein a user interaction with the notification or the hyperlink is tocause the display of the application.

Example 15a: The point-of-user-interaction apparatus of example 14a,wherein the notification or the hyperlink is part of the communicationmessage.

Example 16a: The point-of-user-interaction apparatus of example 14a,wherein the mobile device comprises a camera or a biometric sensor toauthenticate a user of the mobile device based on the notification orthe hyperlink.

Example 17a: The point-of-user-interaction apparatus of example 1a,wherein the mobile device comprises a camera or a biometric sensor toauthenticate a user of the mobile device.

Example 18a: The point-of-user-interaction apparatus of example 1a,wherein the valid transaction is a financial transaction or wherein thevalid transaction is a voting ballot.

Example 19a: The point-of-user-interaction apparatus of example 5a,wherein: the mobile device is to send the first key and the secondcryptographic token to the computing device; the computing device is todecode the second cryptographic token with the second key, the computingdevice is to decode the first cryptographic token with the first key,and computing device is to notify the second controller of a validtransaction between the mobile device and the point-of-user interactionapparatus after the first cryptographic token and the secondcryptographic token are decoded.

Example 20a: The point-of-user-interaction apparatus of example 1a,wherein the message circuitry comprises an NFC radio.

Example 21a: A point-of-user-interaction apparatus, comprising: a memoryto store a communication message; a processor circuitry with a securityfunction, the processor circuitry communicatively coupled to the memory,wherein the processor circuitry is to generate a first authenticationinformation and a second authentication information; a message circuitryto wirelessly transmit the communication message to a mobile device; oneor more interfaces to: transmit the communication message to the messagecircuitry; transmit the first authentication information, via themessage circuitry, to the mobile device, and transmit the secondauthentication information to a computing device; and a display unit todisplay an application to communicate with a user of the mobile device,wherein the display unit is communicatively coupled to the processorcircuitry; wherein the processor circuitry is to instruct at least oneof the one or more interfaces to transmit the first authenticationinformation to the mobile device; wherein the processor circuitry is toinstruct at least one of the one or more interfaces to transmit thesecond authentication information to the computing device, wherein thecomputing device is to authenticate a transaction between thepoint-of-user-interaction apparatus and the mobile device via the firstauthentication information and the second authentication information,and wherein the computing device is to notify the processor circuitry ofa valid transaction between mobile device and thepoint-of-user-interaction apparatus after the computing deviceauthenticates the transaction.

Example 22a: The point-of-user-interaction apparatus of example 21a,wherein the processor circuitry is part of a system-on-chip (SoC).

Example 23a: A method performed by a point-of-user-interactionapparatus, the method comprising: wirelessly transmitting acommunication message to a mobile device, wherein the communicationmessage is stored in a memory, wherein the memory is communicativelycoupled to a processor circuitry; generating a first authenticationinformation and a second authentication information; transmitting thefirst authentication information to the mobile device; transmitting thesecond authentication information to a computing device; displaying anapplication to communicate with a user of the mobile device, wherein theprocessor circuitry is to instruct at least one of a one or moreinterfaces to transmit the first authentication information to themobile device, wherein the processor circuitry is to instruct at leastone of the one or more interfaces to transmit the second authenticationinformation to the computing device, wherein the computing device is toauthenticate a transaction between the point-of-user-interactionapparatus and the mobile device via the first authentication informationand the second authentication information; and receiving a notificationof a valid transaction between mobile device and thepoint-of-user-interaction apparatus after the computing deviceauthenticates the transaction.

Example 24a: The method of example 23a further comprising modifying thecommunication message.

Example 25a: The method of example 23a further comprising generating afirst identification, wherein the first identification is used to matchthe first authentication information with the second authenticationinformation.

Example 26a: The method of example 25a, wherein the mobile device is togenerate a second identification which is a second uniqueidentification, wherein the second identification is provided to thecomputing device via the point-of-user-interaction apparatus, whereinthe second identification is used to identify the mobile device to thepoint-of-user-interaction apparatus.

Example 27a: The method of example 26a, further comprising generating athird identification which is a third unique identification, wherein thethird identification is provided to the computing device via the mobiledevice.

Example 28a: The method of example 27a, wherein the second uniqueidentification and same as the third unique identification, or whereinthe second unique identification and different than the third uniqueidentification.

Example 29: A machine-readable storage media having one or moremachine-readable instructions stored therein, that when executed, causeone or more machines to perform a method for secure and fast transactionbetween a mobile device and a point-of-user-interaction apparatus, themethod comprising: wirelessly transmitting a communication message to amobile device, wherein the communication message is stored in a memory,wherein the memory is communicatively coupled to a processor circuitry;generating a first authentication information and a secondauthentication information; transmitting the first authenticationinformation to the mobile device, transmitting the second authenticationinformation to a computing device; displaying an application tocommunicate with a user of the mobile device, wherein the processorcircuitry is to instruct at least one of a one or more interfaces totransmit the first authentication information to the mobile device,wherein the processor circuitry is to instruct at least one of the oneor more interfaces to transmit the second authentication information tothe computing device, wherein the computing device is to authenticate atransaction between the point-of-user-interaction apparatus and themobile device via the first authentication information and the secondauthentication information; and receiving a notification of a validtransaction between mobile device and the point-of-user-interactionapparatus after the computing device authenticates the transaction.

Example 30a: The machine-readable storage media of example 29a havingfurther one or more machine-readable instructions stored therein, thatwhen executed, cause the one or more machines to perform a furthermethod comprising: modifying the communication message.

Example 31a: The machine-readable storage media of example 29a havingfurther one or more machine-readable instructions stored therein, thatwhen executed, cause the one or more machines to perform a furthermethod comprising: generating a first identification, wherein the firstidentification is used to match the first authentication informationwith the second authentication information.

Example 32a: The machine-readable storage media of example 31a, whereinthe mobile device is to generate a second identification which is asecond unique identification, wherein the second identification isprovided to the computing device via the point-of-user-interactionapparatus, wherein the second identification is used to identify themobile device to the point-of-user-interaction apparatus.

Example 33a: The machine-readable storage media of example 32a, havingfurther one or more machine-readable instructions stored therein, thatwhen executed, cause the one or more machines to perform a furthermethod comprising: generating a third identification which is a thirdunique identification, wherein the third identification is provided tothe computing device via the mobile device.

Example 34a: The machine-readable storage media of example 33a, whereinthe second unique identification and same as the third uniqueidentification, or wherein the second unique identification anddifferent than the third unique identification.

Example 1b: An apparatus comprising: a processor; a first communicationinterface to allow the processor to communicate with a mobile device,wherein the first communication interface is to receive a firstauthentication information from the mobile device; and a secondcommunication interface to allow the processor to communicate withpoint-of-user-interaction apparatus, wherein the second communicationinterface is to receive a second authentication information from thepoint-of-user-interaction apparatus, wherein the processor is toauthenticate a transaction between the mobile device and thepoint-of-user-interaction apparatus by application of the firstauthentication information and the second authentication information,wherein the processor is to notify the mobile device of a validity ofthe transaction via the first communication interface, wherein theprocessor is to notify the point-of-user-interaction apparatus of thevalidity of the transaction via the second communication interface.

Example 2b: The apparatus of example 1b, wherein the first communicationinterface comprises a wireless interface.

Example 3b: The apparatus of example 1b, wherein the secondcommunication interface comprises a network interface.

Example 4b: The apparatus of example 1b, wherein thepoint-of-user-interaction apparatus comprises: a memory to store acommunication message; a first controller with a security function, thefirst controller communicatively coupled to the memory, wherein thefirst controller is to generate the first authentication information andthe second authentication information; a message circuitry to wirelesslytransmit the communication message to the mobile device; one or moreinterfaces to: transmit the communication message to the messagecircuitry; transmit the first authentication information, via themessage circuitry, to the mobile device, and transmit, via a networkconnection, the second authentication information to the secondcommunication interface; a display unit to display an application tocommunicate with a user of the mobile device; and a second controllercommunicatively coupled to the display unit; wherein the firstcontroller is to instruct at least one of the one or more interfaces totransmit the first authentication information to the mobile device, andwherein the second controller is to instruct at least one of the one ormore interfaces to transmit the second authentication information to thesecond communication interface.

Example 5b: The apparatus of example 4b, wherein thepoint-of-user-interaction apparatus comprises a circuitry operable tomodify the communication message.

Example 6b: The apparatus of example 4b, wherein the mobile deviceincludes: an antenna to detect or read the communication message fromthe point-of-user-interaction apparatus near the mobile device; a readerto initiate a transmission of a command to the point-of-user-interactionapparatus, and to read a response from the point-of-user-interactionapparatus, wherein the reader is coupled to the antenna; a display unitto display an application based on the response from thepoint-of-user-interaction apparatus and/or the communication message;and a circuitry to receive the first authentication information from thepoint-of-user-interaction apparatus, wherein the circuitry is to sendthe first authentication information to the first communicationinterface.

Example 7b: The apparatus of example 4b, wherein the firstauthentication information includes: a first key, wherein the first keyis associated with a first cryptographic token; and a secondcryptographic token, wherein the second cryptographic token isassociated with a second key.

Example 8b: The apparatus of example 7b, wherein the secondauthentication information includes the second key and the firstcryptographic token.

Example 9b: The apparatus of example 4b, wherein the first controllergenerates a first identification, wherein the first identification isused to match the first authentication information with the secondauthentication information.

Example 10b: The apparatus of example 9b, wherein the circuitry is togenerate a second identification which is a second uniqueidentification, wherein the apparatus is to receive the secondidentification via the point-of-user-interaction apparatus, wherein thesecond identification is used to identify the mobile device to thepoint-of-user-interaction apparatus.

Example 11b: The apparatus of example 10b, wherein thepoint-of-user-interaction apparatus is to generate a thirdidentification which is a third unique identification, wherein the thirdidentification is provided to the apparatus via the mobile device.

Example 12b: The apparatus of example 11b, wherein the second uniqueidentification and same as the third unique identification, or whereinthe second unique identification and different than the third uniqueidentification.

Example 13b: The apparatus of example 6b, wherein the antennacontinuously or regularly listens for communication messages near themobile device.

Example 14b: The apparatus of example 6b, wherein the communicationmessage comprises a near field communication (NFC) data exchange format(NDEF) tag.

Example 15b: The apparatus of example 6b, wherein the transmission andthe response are near field communications.

Example 16b: The apparatus of example 6b, wherein the reader comprises afirst application programmable interface to initiate the transmissionand to read the response.

Example 17b: The apparatus of example 16b, wherein the mobile devicecomprises a second application programmable interface to issue anotification or a hyperlink based on the response, wherein a userinteraction with the notification or the hyperlink is to cause thedisplay of the application.

Example 18b: The apparatus of example 17b, wherein the notification orthe hyperlink is part of the communication message.

Example 19b: The apparatus of example 17b, wherein the mobile devicecomprises a camera or a biometric sensor to authenticate a user of themobile device based on the notification or the hyperlink.

Example 20b: The apparatus of example 1b, wherein the mobile devicecomprises a camera or a biometric sensor to authenticate a user of themobile device.

Example 21b: The apparatus of example 1b, wherein the transaction is afinancial transaction or wherein the transaction is a voting ballot.

Example 22b: The apparatus of example 8b, wherein: the mobile device isto send the first key and the second cryptographic token to the firstcommunication interface; the processor is to decode the secondcryptographic token with the second key, the processor is to decode thefirst cryptographic token with the first key, and the processor is tonotify the second controller of a valid transaction between the mobiledevice and the point-of-user interaction apparatus after the firstcryptographic token and the second cryptographic token are decoded.

Example 23b: The apparatus of example 4b, wherein the message circuitrycomprises an NFC radio.

Example 24b: A method for authenticating a transaction between a mobiledevice and a point-of-user-interaction apparatus, the method comprising:receiving a first authentication information from the mobile device;receiving a second authentication information from thepoint-of-user-interaction apparatus; authenticating a transactionbetween the mobile device and the point-of-user-interaction apparatus byapplication of the first authentication information and the secondauthentication information; notifying the mobile device of a validity ofthe transaction; and notifying the point-of-user-interaction apparatusof the validity of the transaction.

Example 25b: The method of example 24b, wherein thepoint-of-user-interaction apparatus comprises: a memory to store acommunication message; a first controller with a security function, thefirst controller communicatively coupled to the memory, wherein thefirst controller is to generate the first authentication information andthe second authentication information; a message circuitry to wirelesslytransmit the communication message to the mobile device; one or moreinterfaces to: transmit the communication message to the messagecircuitry; transmit the first authentication information, via themessage circuitry, to the mobile device, and transmit, via a networkconnection, the second authentication information to the secondcommunication interface; a display unit to display an application tocommunicate with a user of the mobile device; and a second controllercommunicatively coupled to the display unit; wherein the firstcontroller is to instruct at least one of the one or more interfaces totransmit the first authentication information to the mobile device, andwherein the second controller is to instruct at least one of the one ormore interfaces to transmit the second authentication information to thesecond communication interface.

Example 26b: The method of example 25b, wherein thepoint-of-user-interaction apparatus comprises a circuitry operable tomodify the communication message.

Example 27b: The method of example 25b, wherein the mobile deviceincludes: an antenna to detect or read the communication message fromthe point-of-user-interaction apparatus near the mobile device; a readerto initiate a transmission of a command to the point-of-user-interactionapparatus, and to read a response from the point-of-user-interactionapparatus, wherein the reader is coupled to the antenna; a display unitto display an application based on the response from thepoint-of-user-interaction apparatus and/or the communication message;and a circuitry to receive the first authentication information from thepoint-of-user-interaction apparatus, wherein the circuitry is to sendthe first authentication information to the first communicationinterface.

Example 28b: The method of example 25b, wherein the first authenticationinformation includes: a first key, wherein the first key is associatedwith a first cryptographic token; and a second cryptographic token,wherein the second cryptographic token is associated with a second key.

Example 29b: The method of example 28b, wherein the secondauthentication information includes the second key and the firstcryptographic token.

Example 30b: The method of example 25b, wherein the first controllergenerates a first identification, wherein the first identification isused to match the first authentication information with the secondauthentication information, wherein the method comprising: receiving thefirst identification.

Example 31b: The method of example 30b, wherein the mobile device is togenerate a second identification which is a second uniqueidentification, wherein the method comprises: receiving the secondidentification via the point-of-user-interaction apparatus, wherein thesecond identification is used to identify the mobile device to thepoint-of-user-interaction apparatus.

Example 32b: The method of example 31b, wherein thepoint-of-user-interaction apparatus is to generate a thirdidentification which is a third unique identification, wherein themethod comprises: receiving the third identification via the mobiledevice.

Example 33b: The method of example 32b, wherein the second uniqueidentification and same as the third unique identification, or whereinthe second unique identification and different than the third uniqueidentification.

Example 34b: A machine-readable media having machine-executableinstructions stored thereon, that when executed, cause one or moreprocessors to perform a method for authenticating a transaction betweena mobile device and a point-of-user-interaction apparatus, the methodcomprising: receiving a first authentication information from the mobiledevice; receiving a second authentication information from thepoint-of-user-interaction apparatus; authenticating a transactionbetween the mobile device and the point-of-user-interaction apparatus byapplication of the first authentication information and the secondauthentication information; notifying the mobile device of a validity ofthe transaction; and notifying the point-of-user-interaction apparatusof the validity of the transaction.

Example 35b: The machine-readable media of example 34b, the methodcomprising: receiving a first identification, wherein the firstidentification is generated by the point-of-user-interaction apparatus,wherein the first identification is used to match the firstauthentication information with the second authentication information.

Example 36b: The machine-readable media of example 35b, the methodcomprising: receiving a second identification via thepoint-of-user-interaction apparatus,

-   -   wherein the second identification is generated by the mobile        device, wherein the second identification is a second unique        identification which is used to identify the mobile device to        the point-of-user-interaction apparatus.

Example 37b: The machine-readable media of example 36b, wherein thepoint-of-user-interaction apparatus is to generate a thirdidentification which is a third unique identification, wherein themethod comprises: receiving the third identification via the mobiledevice.

Example 38b: The machine-readable media of example 37b, wherein thesecond unique identification and same as the third uniqueidentification, or wherein the second unique identification anddifferent than the third unique identification.

An abstract is provided that will allow the reader to ascertain thenature and gist of the technical disclosure. The abstract is submittedwith the understanding that it will not be used to limit the scope ormeaning of the claims. The following claims are hereby incorporated intothe detailed description, with each claim standing on its own as aseparate embodiment.

We claim:
 1. A point-of-user-interaction apparatus, comprising: a memoryto store a communication message; a first controller with a securityfunction, the first controller communicatively coupled to the memory,wherein the first controller is to generate a first authenticationinformation and a second authentication information; a message circuitryto wirelessly transmit the communication message to a mobile device; oneor more interfaces to: transmit the communication message to the messagecircuitry; transmit the first authentication information, via themessage circuitry, to the mobile device, and transmit, via a networkconnection, the second authentication information to a computing device;a display unit to display an application to communicate with a user ofthe mobile device; and a second controller communicatively coupled tothe display unit; wherein the first controller is to instruct at leastone of the one or more interfaces to transmit the first authenticationinformation to the mobile device; wherein the second controller is toinstruct at least one of the one or more interfaces to transmit thesecond authentication information to the computing device, wherein thecomputing device is to authenticate a transaction between thepoint-of-user-interaction apparatus and the mobile device via the firstauthentication information and the second authentication information,and wherein the computing device is to notify the second controller of avalid transaction between mobile device and thepoint-of-user-interaction apparatus after the computing deviceauthenticates the transaction.
 2. The point-of-user-interactionapparatus of claim 1, comprises a circuitry operable to modify thecommunication message.
 3. The point-of-user-interaction apparatus ofclaim 1, wherein the mobile device includes: an antenna to detect orread the communication message from the point-of-user-interactionapparatus near the mobile device; a reader to initiate a transmission ofa command to the point-of-user-interaction apparatus, and to read aresponse from the point-of-user-interaction apparatus, wherein thereader is coupled to the antenna; a display unit to display anapplication based on the response from the point-of-user-interactionapparatus and/or the communication message; and a circuitry to receivethe first authentication information from the point-of-user-interactionapparatus, wherein the circuitry is to send the first authenticationinformation to the computing device.
 4. The point-of-user-interactionapparatus of claim 1, wherein the first authentication informationincludes: a first key, wherein the first key is associated with a firstcryptographic token; and a second cryptographic token, wherein thesecond cryptographic token is associated with a second key.
 5. Thepoint-of-user-interaction apparatus of claim 4, wherein the secondauthentication information includes the second key and the firstcryptographic token.
 6. The point-of-user-interaction apparatus of claim3, wherein the first controller generates a first identification,wherein the first identification is used to match the firstauthentication information with the second authentication information.7. The point-of-user-interaction apparatus of claim 6, wherein thecircuitry is to generate a second identification which is a secondunique identification, wherein the second identification is provided tothe computing device via the point-of-user-interaction apparatus,wherein the second identification is used to identify the mobile deviceto the point-of-user-interaction apparatus.
 8. Thepoint-of-user-interaction apparatus of claim 7, wherein the firstcontroller is to generate a third identification which is a third uniqueidentification, wherein the third identification is provided to thecomputing device via the mobile device.
 9. The point-of-user-interactionapparatus claim 8, wherein the second unique identification and same asthe third unique identification, or wherein the second uniqueidentification and different than the third unique identification. 10.The point-of-user-interaction apparatus of claim 3, wherein the antennacontinuously or regularly listens for communication messages near themobile device.
 11. The point-of-user-interaction apparatus of claim 1,wherein the communication message comprises a near field communication(NFC) data exchange format (NDEF) tag.
 12. The point-of-user-interactionapparatus of claim 3, wherein the transmission and the response are nearfield communications.
 13. The point-of-user-interaction apparatus ofclaim 3, wherein the reader comprises a first application programmableinterface to initiate the transmission and to read the response.
 14. Thepoint-of-user-interaction apparatus of claim 13, wherein the mobiledevice comprises a second application programmable interface to issue anotification or a hyperlink based on the response, wherein a userinteraction with the notification or the hyperlink is to cause thedisplay of the application.
 15. The point-of-user-interaction apparatusof claim 14, wherein the notification or the hyperlink is part of thecommunication message.
 16. The point-of-user-interaction apparatus ofclaim 14, wherein the mobile device comprises a camera or a biometricsensor to authenticate a user of the mobile device based on thenotification or the hyperlink.
 17. The point-of-user-interactionapparatus of claim 1, wherein the mobile device comprises a camera or abiometric sensor to authenticate a user of the mobile device.
 18. Thepoint-of-user-interaction apparatus of claim 1, wherein the validtransaction is a financial transaction or wherein the valid transactionis a voting ballot.
 19. The point-of-user-interaction apparatus of claim5, wherein: the mobile device is to send the first key and the secondcryptographic token to the computing device; the computing device is todecode the second cryptographic token with the second key, the computingdevice is to decode the first cryptographic token with the first key,and computing device is to notify the second controller of a validtransaction between the mobile device and the point-of-user interactionapparatus after the first cryptographic token and the secondcryptographic token are decoded.
 20. The point-of-user-interactionapparatus of claim 1, wherein the message circuitry comprises an NFCradio.
 21. A point-of-user-interaction apparatus, comprising: a memoryto store a communication message; a processor circuitry with a securityfunction, the processor circuitry communicatively coupled to the memory,wherein the processor circuitry is to generate a first authenticationinformation and a second authentication information; a message circuitryto wirelessly transmit the communication message to a mobile device; oneor more interfaces to: transmit the communication message to the messagecircuitry; transmit the first authentication information, via themessage circuitry, to the mobile device, and transmit the secondauthentication information to a computing device; and a display unit todisplay an application to communicate with a user of the mobile device,wherein the display unit is communicatively coupled to the processorcircuitry; wherein the processor circuitry is to instruct at least oneof the one or more interfaces to transmit the first authenticationinformation to the mobile device; wherein the processor circuitry is toinstruct at least one of the one or more interfaces to transmit thesecond authentication information to the computing device, wherein thecomputing device is to authenticate a transaction between thepoint-of-user-interaction apparatus and the mobile device via the firstauthentication information and the second authentication information,and wherein the computing device is to notify the processor circuitry ofa valid transaction between mobile device and thepoint-of-user-interaction apparatus after the computing deviceauthenticates the transaction.
 22. The point-of-user-interactionapparatus of claim 21, wherein the processor circuitry is part of asystem-on-chip (SoC).
 23. A method performed by apoint-of-user-interaction apparatus, the method comprising: wirelesslytransmitting a communication message to a mobile device, wherein thecommunication message is stored in a memory, wherein the memory iscommunicatively coupled to a processor circuitry; generating a firstauthentication information and a second authentication information;transmitting the first authentication information to the mobile device;transmitting the second authentication information to a computingdevice; displaying an application to communicate with a user of themobile device, wherein the processor circuitry is to instruct at leastone of a one or more interfaces to transmit the first authenticationinformation to the mobile device, wherein the processor circuitry is toinstruct at least one of the one or more interfaces to transmit thesecond authentication information to the computing device, wherein thecomputing device is to authenticate a transaction between thepoint-of-user-interaction apparatus and the mobile device via the firstauthentication information and the second authentication information;and receiving a notification of a valid transaction between mobiledevice and the point-of-user-interaction apparatus after the computingdevice authenticates the transaction.
 24. The method of claim 23 furthercomprising modifying the communication message.
 25. The method of claim23 further comprising generating a first identification, wherein thefirst identification is used to match the first authenticationinformation with the second authentication information.
 26. The methodof claim 25, wherein the mobile device is to generate a secondidentification which is a second unique identification, wherein thesecond identification is provided to the computing device via thepoint-of-user-interaction apparatus, wherein the second identificationis used to identify the mobile device to the point-of-user-interactionapparatus.
 27. The method of claim 26, further comprising generating athird identification which is a third unique identification, wherein thethird identification is provided to the computing device via the mobiledevice.
 28. The method of claim 27, wherein the second uniqueidentification and same as the third unique identification, or whereinthe second unique identification and different than the third uniqueidentification.
 29. A machine-readable storage media having one or moremachine-readable instructions stored therein, that when executed, causeone or more machines to perform a method for secure and fast transactionbetween a mobile device and a point-of-user-interaction apparatus, themethod comprising: wirelessly transmitting a communication message to amobile device, wherein the communication message is stored in a memory,wherein the memory is communicatively coupled to a processor circuitry;generating a first authentication information and a secondauthentication information; transmitting the first authenticationinformation to the mobile device, transmitting the second authenticationinformation to a computing device; displaying an application tocommunicate with a user of the mobile device, wherein the processorcircuitry is to instruct at least one of a one or more interfaces totransmit the first authentication information to the mobile device,wherein the processor circuitry is to instruct at least one of the oneor more interfaces to transmit the second authentication information tothe computing device, wherein the computing device is to authenticate atransaction between the point-of-user-interaction apparatus and themobile device via the first authentication information and the secondauthentication information; and receiving a notification of a validtransaction between mobile device and the point-of-user-interactionapparatus after the computing device authenticates the transaction. 30.The machine-readable storage media of claim 29 having further one ormore machine-readable instructions stored therein, that when executed,cause the one or more machines to perform a further method comprising:modifying the communication message.
 31. The machine-readable storagemedia of claim 29 having further one or more machine-readableinstructions stored therein, that when executed, cause the one or moremachines to perform a further method comprising: generating a firstidentification, wherein the first identification is used to match thefirst authentication information with the second authenticationinformation.
 32. The machine-readable storage media of claim 31, whereinthe mobile device is to generate a second identification which is asecond unique identification, wherein the second identification isprovided to the computing device via the point-of-user-interactionapparatus, wherein the second identification is used to identify themobile device to the point-of-user-interaction apparatus.
 33. Themachine-readable storage media of claim 32, having further one or moremachine-readable instructions stored therein, that when executed, causethe one or more machines to perform a further method comprising:generating a third identification which is a third uniqueidentification, wherein the third identification is provided to thecomputing device via the mobile device.
 34. The machine-readable storagemedia of claim 33, wherein the second unique identification and same asthe third unique identification, or wherein the second uniqueidentification and different than the third unique identification.